On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz <ar...@maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>> ssl_io->host. >>>> >>>> Unfortunately I don't see it expanded to any variables ( >>>> http://wiki.dovecot.org/Variables ). Please consider this to be a >>>> feature request. >>>> >>>> The goal is to be able to see which hostname client used like: >>>> >>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, >>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, >>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> >>> Dear dovecot team, would be possible to add such variable ^^^^^ ? >>> >>> That would be neat feature because server operator would know what >>> hostname client uses to connect to server (which is really usefull in >>> case of many hostnames pointing to single IP). >> I’d love to be able to use this SNI domain name in the Dovecot IMAP proxy >> for use in the SQL password_query. This would allow the proxy to support >> multiple IMAP server domains each with their own set of users. And, it >> would save me money by using only the IP of the proxy for all the IMAP >> server domains instead of giving each domain a unique IP. > It only needs to be carefuly implemented on dovecot side as TLS SNI hostname > is information passed directly by client. > > So some fqdn name validation would need to happen in case if client has > malicious intents. > >> Kevin > Hi!
I wonder if this would be of any help? It provides %{local_name} passdb/userdb variable, you can use it for some logging too... https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5eddd72 Aki