TLS communication director -> backend with X.509 cert checks?
Timo Sirainen
tss at iki.fi
Tue Oct 13 21:49:20 UTC 2015
On 14 Oct 2015, at 00:34, Heiko Schlittermann <hs at schlittermann.de> wrote:
>
> Hi Timo,
>
> Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23 CEST):
>>> Does the attached patch work? Compiles, but untested.
>> I'm about to test it.
>
> It seems to update the struct mail_host, but it looks as if the data
> in mail_host do not propagate down to login_proxy_new().
>
> In other words, in login_proxy_new() set->host contains the IP address,
> correctly, because the director choose it, but where can I find the
> hostname there? And we need a way to pass the host*name* further, to the
> SSL verifcation step, don't we?
Proxying in general does check that hostname matches the SSL certificate, because both the hostname and IP address are sent to login process. So it should work in a way that host=<hostname> and hostip=<ip> is sent. I thought my patch did that.. Normally auth_debug=yes would be enough to debug this, but this happens between director and login process so I don't think it's going to be of much use. login process's client_auth_parse_args() is what should see these two parameters correctly.
I can check this further tomorrow.
More information about the dovecot
mailing list