TLS communication director -> backend with X.509 cert checks?

Heiko Schlittermann hs at schlittermann.de
Tue Oct 13 18:44:37 UTC 2015


Hello,

using Dovecot 2.2.9 and a setup with directors and backends.
The communication between directors and backends needs to be TLS
secured.

The director config contains a list of hostnames for the backends.
(implicit list because of multiple A/AAAA records for a single hostname
or explicit list of several host names)

On connection setup from a client the director connects to the
selected backend. But it seems (not checked in the source yet),
that for SSL certificate verification the director doesn't know the
original host name anymore. The certificate's CN gets compared to
the IP address the director connects to.

Oct 12 23:56:51 director2 dovecot: director: Error: director(2001:683:921:f33::5:1:9090/out): connect() failed: Connection reset by peer
Oct 12 23:57:53 director2 dovecot: imap-login: Error: proxy: hostname doesn't match SSL certificate at 2001:683:921:f33::5:fe:993: user=<foo>, method=PLAIN, rip=2001:638:912:f33::1:1, lip=2001:638:912:f33::5:2, TLS, session=<fLrUa+8hggAgAQY4CRIPMwAAAAAAAQAB>

In 10-directors.conf I've:
director_mail_servers = backend1.<domain> backend2.<domain>

Should I create certificates with IP address in SAN? (Any hint about the
correct syntax for the openssl.conf is welcome). Or is there any chance
that this is fixed already or will be fixed in the near future or even
better, that it's my fault?

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20151013/4b24babb/attachment-0001.sig>


More information about the dovecot mailing list