<div dir="auto"><div dir="auto">Thank you for the information Joel, very helpful! We've started doing the exact same thing actually, with good ol' ssl_certificate_by_lua, until we realized this wouldn't work with STARTTLS/STLS.</div><div dir="auto"><br></div><div dir="auto">We'd like that to work though and we can't seem to find a solution if Dovecot can't smoothly handle SNI at scale.</div><div dir="auto"><br><div data-smartmail="gmail_signature" dir="auto">--<br>Pierre Allétru<br>06 70 55 08 35<br><a href="mailto:pierre.alletru@gmail.com">pierre.alletru@gmail.com</a></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 3 nov. 2022, 14:32, Joel A. Chornik <<a href="mailto:joel.chornik@gmail.com">joel.chornik@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What we do is have openresty(nginx) sit as a reverse proxy on top of dovecot, and use lua to dynamically load certificates using sni.<br>
<br>
We have a large userbase (100k+) and works without issues, except that it does not work with STARTTLS, only IMAP+TLS. Has not been an issue, as we setup users using autodiscover/autoconfig or as a fallback it is the default config in most user agents.<br>
<br>
Hope it helps<br>
Joel Chornik<br>
<br>
> <br>
> On 3 Nov 2022, at 10:24, Pierre Allétru <<a href="mailto:pierre.alletru@gmail.com" target="_blank" rel="noreferrer">pierre.alletru@gmail.com</a>> wrote:<br>
> <br>
> Pierre Allétru<br>
</blockquote></div>