<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jan 23, 2018 at 10:05 AM, Aki Tuomi <span dir="ltr"><<a href="mailto:aki.tuomi@dovecot.fi" target="_blank">aki.tuomi@dovecot.fi</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="gmail-HOEnZb"><div class="gmail-h5"><br>
> On January 23, 2018 at 7:09 PM Arkadiusz Miśkiewicz <<a href="mailto:arekm@maven.pl">arekm@maven.pl</a>> wrote:<br>
><br>
><br>
> On Thursday 11 of January 2018, Aki Tuomi wrote:<br>
><br>
> > Seems we might've made a unexpected change here when we revamped the ssl<br>
> > code.<br>
><br>
> Revamped, interesting, can it support milions certs now on single machine? (so<br>
> are certs loaded by demand and not wasting memory)<br>
><br>
> > Aki<br>
><br>
><br>
> --<br>
> Arkadiusz Miśkiewicz, arekm / ( <a href="http://maven.pl" rel="noreferrer" target="_blank">maven.pl</a> | <a href="http://pld-linux.org" rel="noreferrer" target="_blank">pld-linux.org</a> )<br>
<br>
</div></div>Unfortunately not. This time round it was about putting the ssl code mostly in one place, so that we use same code for all SSL connections.<br>
<span class="gmail-HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div><br></div><div>Just to chime in, having some way of supporting SSL certs dynamically would be tremendously useful. Like splitting out the retrieval of certs/key to a socket, that would typically just be a built-in regular dovecot service ("go and get the certs that are configured in dovecot configs"), but could also be a custom unix listener that could return certs/keys. Dovecot would send in the local IP/port and/or SNI name (if there was one) to the socket and then use whatever comes back. A perl/python/etc script doing the unix listener could then grab the appropriate cert/key from wherever (and dovecot would presumably have a time-based cache for certs/keys). This is just wish-listing :)</div><div><br></div><div>Currently, I've got a million different domains on my dovecot boxes, so allowing them all to use per-domain SSL is a bit challenging. I've been searching for an SSL proxy that supports something like nginx/openresty's "ssl_certificate_by_lua_file" (and can communicate the remote IP to dovecot like haproxy does) to put in front of dovecot, to no avail. Having something like that built directly into dovecot would be a dream -- or that can at least farm that functionality out to a custom daemon).</div></div></div></div>