Pluggable SNI?

Timo Sirainen tss at iki.fi
Tue Jun 21 22:04:45 UTC 2016


On 21 Jun 2016, at 22:58, Felipe Gasper <felipe at felipegasper.com> wrote:
> 
> Hello,
> 
> 	How feasible would it be to have a “pluggable” Dovecot setup that would permit arbitrary logic for fetching TLS/SNI certificates and key, rather than having to hard-code each domain’s resources in a configuration file?
> 
> 	A couple scenarios that I envision such a framework being able to accommodate:
> 
> 1) An internal TLS service that accepts queries via a UNIX socket by domain name and returns certificate/key.
> 
> 2) A directory where these resources are stored, indexed by domain name.

Configuration settings are looked up from $base_dir/config socket. In theory you could replace this socket with your own proxy service, which forwards all requests to the real config process and changes the reply in whatever way you want. You should be able to change the default config socket with:

service config {
  unix_listener config {
    path = config-old
  }
}



More information about the dovecot mailing list