lazy-load SNI?
Aki Tuomi
aki.tuomi at dovecot.fi
Fri Nov 11 07:44:36 UTC 2016
On 11.11.2016 01:02, Felipe Gasper wrote:
> Hello,
>
> We’re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config:
>
> local_name mail.foo.com {
> ssl_cert = </ssl/domain_tls/*.foo.com/combined
> ssl_key = </ssl/domain_tls/*.foo.com/combined
> }
>
> There are a couple problems we’re finding with this approach:
>
> 1) Dovecot wants to load everything at once, which has some machines taking up many GiB of memory just for Dovecot. Is there any way to defer loading of an SSL cert until a client actually requests it?
>
> 2) Any time we add or remove a domain, Dovecot’s SNI config matrix needs to be rebuilt. Is there a way to handle SNI requests dynamically via some sort of configuration plugin, so we wouldn’t need to rebuild the config on domain add/remove? I looked through the docs but couldn’t see a way to do this.
>
> Thank you in advance!
>
> -Felipe Gasper
> Mississauga, ON
Unfortunately it's not possible now, it has been asked before though. We
have this feature request in our list but cannot give any date when it
would be available.
Aki Tuomi
Dovecot oy
More information about the dovecot
mailing list