On Thursday 20 of October 2016, Aki Tuomi wrote: > On 20.10.2016 15:41, Arkadiusz Miśkiewicz wrote: > > On Thursday 20 of October 2016, Aki Tuomi wrote: > >> On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote: > >>> On Monday 17 of October 2016, KT Walrus wrote: > >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz <ar...@maven.pl> > >>>>> wrote: > >>>>> > >>>>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote: > >>>>>> Is there a way to log SNI hostname used in TLS session? Info is > >>>>>> there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it > >>>>>> to ssl_io->host. > >>>>>> > >>>>>> Unfortunately I don't see it expanded to any variables ( > >>>>>> http://wiki.dovecot.org/Variables ). Please consider this to be a > >>>>>> feature request. > >>>>>> > >>>>>> The goal is to be able to see which hostname client used like: > >>>>>> > >>>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, > >>>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, > >>>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> > >>>>> > >>>>> Dear dovecot team, would be possible to add such variable ^^^^^ ? > >>>>> > >>>>> That would be neat feature because server operator would know what > >>>>> hostname client uses to connect to server (which is really usefull in > >>>>> case of many hostnames pointing to single IP). > >>>> > >>>> I’d love to be able to use this SNI domain name in the Dovecot IMAP > >>>> proxy for use in the SQL password_query. This would allow the proxy to > >>>> support multiple IMAP server domains each with their own set of users. > >>>> And, it would save me money by using only the IP of the proxy for all > >>>> the IMAP server domains instead of giving each domain a unique IP. > >>> > >>> It only needs to be carefuly implemented on dovecot side as TLS SNI > >>> hostname is information passed directly by client. > >>> > >>> So some fqdn name validation would need to happen in case if client has > >>> malicious intents. > >>> > >>>> Kevin > >> > >> Hi! > >> > >> I wonder if this would be of any help? It provides %{local_name} > >> passdb/userdb variable, you can use it for some logging too... > >> > >> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc > >> 5ed dd72 > > > > Should it work for such usage, too? > > > > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e > > local_name=%{local_name} %c session=<%{session}> > > > > Because I'm not getting local_name logged at all (dovecot -a shows its > > there). > > > >> Aki > > > > Thanks, > > How did you try? With openssl you need to use openssl s_client -connect > ... -servername something
Yes, using it. -servername is mandatory for TLS SNI to work. I'm getting correct certificate (as shown by openssl s_client). Certificate that's configured with local_name, so TLS SNI works fine on client and dovecot side. ps. I'm using 2.2.25 + above %{local_name} patch. Could some other patch be needed for this to work? > Aki -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )