logging TLS SNI hostname

Arkadiusz Miśkiewicz arekm at maven.pl
Thu Oct 20 12:52:17 UTC 2016


On Thursday 20 of October 2016, Aki Tuomi wrote:
> On 20.10.2016 15:41, Arkadiusz Miśkiewicz wrote:
> > On Thursday 20 of October 2016, Aki Tuomi wrote:
> >> On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
> >>> On Monday 17 of October 2016, KT Walrus wrote:
> >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz <arekm at maven.pl>
> >>>>> wrote:
> >>>>> 
> >>>>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
> >>>>>> Is there a way to log SNI hostname used in TLS session? Info is
> >>>>>> there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it
> >>>>>> to ssl_io->host.
> >>>>>> 
> >>>>>> Unfortunately I don't see it expanded to any variables (
> >>>>>> http://wiki.dovecot.org/Variables ). Please consider this to be a
> >>>>>> feature request.
> >>>>>> 
> >>>>>> The goal is to be able to see which hostname client used like:
> >>>>>> 
> >>>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>,
> >>>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
> >>>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN>
> >>>>> 
> >>>>> Dear dovecot team, would be possible to add such variable ^^^^^ ?
> >>>>> 
> >>>>> That would be neat feature because server operator would know what
> >>>>> hostname client uses to connect to server (which is really usefull in
> >>>>> case of many hostnames pointing to single IP).
> >>>> 
> >>>> I’d love to be able to use this SNI domain name in the Dovecot IMAP
> >>>> proxy for use in the SQL password_query. This would allow the proxy to
> >>>> support multiple IMAP server domains each with their own set of users.
> >>>> And, it would save me money by using only the IP of the proxy for all
> >>>> the IMAP server domains instead of giving each domain a unique IP.
> >>> 
> >>> It only needs to be carefuly implemented on dovecot side as TLS SNI
> >>> hostname is information passed directly by client.
> >>> 
> >>> So some fqdn name validation would need to happen in case if client has
> >>> malicious intents.
> >>> 
> >>>> Kevin
> >> 
> >> Hi!
> >> 
> >> I wonder if this would be of any help? It provides %{local_name}
> >> passdb/userdb variable, you can use it for some logging too...
> >> 
> >> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc
> >> 5ed dd72
> > 
> > Should it work for such usage, too?
> > 
> > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
> > local_name=%{local_name} %c session=<%{session}>
> > 
> > Because I'm not getting local_name logged at all (dovecot -a shows its
> > there).
> > 
> >> Aki
> > 
> > Thanks,
> 
> How did you try? With openssl you need to use openssl s_client -connect
> ... -servername something

Yes, using it. -servername is mandatory for TLS SNI to work.

I'm getting correct certificate (as shown by openssl s_client). Certificate 
that's configured with local_name, so TLS SNI works fine on client and dovecot 
side.

ps. I'm using 2.2.25 + above %{local_name} patch. Could some other patch be 
needed for this to work?
 
> Aki
-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )


More information about the dovecot mailing list