logging TLS SNI hostname
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Oct 20 12:45:56 UTC 2016
On 20.10.2016 15:41, Arkadiusz Miśkiewicz wrote:
> On Thursday 20 of October 2016, Aki Tuomi wrote:
>> On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
>>> On Monday 17 of October 2016, KT Walrus wrote:
>>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz <arekm at maven.pl>
>>>>> wrote:
>>>>>
>>>>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
>>>>>> Is there a way to log SNI hostname used in TLS session? Info is there
>>>>>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
>>>>>> ssl_io->host.
>>>>>>
>>>>>> Unfortunately I don't see it expanded to any variables (
>>>>>> http://wiki.dovecot.org/Variables ). Please consider this to be a
>>>>>> feature request.
>>>>>>
>>>>>> The goal is to be able to see which hostname client used like:
>>>>>>
>>>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>,
>>>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
>>>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN>
>>>>> Dear dovecot team, would be possible to add such variable ^^^^^ ?
>>>>>
>>>>> That would be neat feature because server operator would know what
>>>>> hostname client uses to connect to server (which is really usefull in
>>>>> case of many hostnames pointing to single IP).
>>>> I’d love to be able to use this SNI domain name in the Dovecot IMAP
>>>> proxy for use in the SQL password_query. This would allow the proxy to
>>>> support multiple IMAP server domains each with their own set of users.
>>>> And, it would save me money by using only the IP of the proxy for all
>>>> the IMAP server domains instead of giving each domain a unique IP.
>>> It only needs to be carefuly implemented on dovecot side as TLS SNI
>>> hostname is information passed directly by client.
>>>
>>> So some fqdn name validation would need to happen in case if client has
>>> malicious intents.
>>>
>>>> Kevin
>> Hi!
>>
>> I wonder if this would be of any help? It provides %{local_name}
>> passdb/userdb variable, you can use it for some logging too...
>>
>> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5ed
>> dd72
> Should it work for such usage, too?
>
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
> local_name=%{local_name} %c session=<%{session}>
>
> Because I'm not getting local_name logged at all (dovecot -a shows its there).
>
>> Aki
> Thanks,
How did you try? With openssl you need to use openssl s_client -connect
... -servername something
Aki
More information about the dovecot
mailing list