[Dovecot] Proxying, pertinent values and features, SNI

Christian Balzer chibi at gol.com
Tue Apr 9 06:56:11 EEST 2013 

On Thu, 4 Apr 2013 22:21:43 +0300 Timo Sirainen wrote:

> On 3.4.2013, at 10.59, Christian Balzer <chibi at gol.com> wrote:
> 
> > I'm looking into deploying dovecot as a proxy, currently using
> > perdition. Have been using dovecot on the actual servers for years,
> > nearly a decade. So far just 1.x, but for the proxy it will have to be
> > 2.x (2.1.7 is the current Debian version), as the trigger for this
> > change is the need to support multiple SSL certificates. 
> > 
> > All that happens on the proxy seems to be handled by the login
> > processes, so that is why we're not seeing anything useful in the
> > process titles or with doveadm, right? 
> > And from past comments by Timo I guess that adding such functionality
> > isn't on his to-do list at all.
> 
> doveadm proxy list
> 
That will teach me to look at man pages. ^o^
Internal help all the way, man pages are for chums. ^o^

Thanks!

> > A configurable capabilities string for POP would be quite welcome, but
> > at least nothing is different between the 1.x backends and the 2.x
> > proxy in that protocol.
> 
> v2.2 backends actually add some new POP3 capabilities. I guess there
> could be such a setting, although it's a bit annoying to develop..
> 
I guess so, but that will really make it an universally deployable proxy
and help people transitioning to dovecot from other environments, too.

[snip]
> 
> > I presume to best support all(?) clients out there is to have
> > "local_name" sections for SNI first and then "local" sections for IP
> > address based certs. It is my understanding that SNI needs to be
> > requested by the client, so aside from client bugs (nah, those don't
> > exist ^o^) every client should get an appropriate response for TLS. 
> > Has anybody done a setup like that already?
> 
> If you have separate IPs for each sertificate, you don't need to
> support/configure SNI, so local {} blocks are enough.
> 
I know that, the idea was/is to determine how many (connects and clients)
do a proper TLS/SNI negotiation if offered.
However are these even differently logged by dovecot? I suspect not.

Regards,

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi at gol.com   	Global OnLine Japan/Fusion Communications
http://www.gol.com/

More information about the dovecot mailing list