Thank you for the information Joel, very helpful! We've started doing the
exact same thing actually, with good ol' ssl_certificate_by_lua, until we
realized this wouldn't work with STARTTLS/STLS.
We'd like that to work though and we can't seem to find a solution if
Dovecot can't smoothly handle SN
What we do is have openresty(nginx) sit as a reverse proxy on top of dovecot,
and use lua to dynamically load certificates using sni.
We have a large userbase (100k+) and works without issues, except that it does
not work with STARTTLS, only IMAP+TLS. Has not been an issue, as we setup users
us
Hi folks,
We need to use SNI with Dovecot at a relatively large scale and I was
wondering if there's any update on the ability to:
1 - Lazy load SNI certificates when they are needed instead of loading them
all at once during startup/reload, thus taking a lot of memory and being
very sl
This has been merged, and hopefully will make it still to 2.2.27 release.
Aki Tuomi
Dovecot oy
On 01.12.2016 09:45, Aki Tuomi wrote:
> Thank you, we'll start looking at this.
>
> Aki
>
> On 01.12.2016 09:44, J. Nick Koston wrote:
>> Hi Aki & Felipe,
>>
>> Attached is an implementation of supporti
Thank you, we'll start looking at this.
Aki
On 01.12.2016 09:44, J. Nick Koston wrote:
> Hi Aki & Felipe,
>
> Attached is an implementation of supporting multiple domains in local_name.
>
> Example
>
> local_name "mail.domain.tld domain.tld mx.domain.tld" { ... }
>
> This can significantly reduce
0001-config-Match-multiple-names-in-local_name.patch
Description: Binary data
smime.p7s
Description: S/MIME cryptographic signature
> On Nov 11, 2016, at 9:06 AM, Aki Tuomi wrote:
>
> If you are interested in testing, please find patch attached that allows you
> to specify
>
> local_name *.foo.bar {
> }
>
> or
>
> local_name *.*.foo.bar {
> }
>
Dear Aki et al.,
How straightforward would it be to implement the
On Friday 11 of November 2016, KSB wrote:
> >>> Great! Seems to be working fine for my usage and makes my configs 50%
> >>> smaller (which is gigantic improvement). Will do more testing though.
> >>>
> >>> Thanks!
>
> A little bit offtopic, but what is the point of using imap/pop SNI?
> All
> cl
> On Nov 11, 2016, at 1:29 PM, KSB wrote:
>
Great! Seems to be working fine for my usage and makes my configs 50%
smaller (which is gigantic improvement). Will do more testing though.
Thanks!
>
> A little bit offtopic, but what is the point of using imap/pop SNI
Great! Seems to be working fine for my usage and makes my configs 50%
smaller (which is gigantic improvement). Will do more testing though.
Thanks!
A little bit offtopic, but what is the point of using imap/pop SNI? All
clients want to connect to their own domain or what?
--
Kaspars
On Friday 11 of November 2016, Aki Tuomi wrote:
> On 11.11.2016 19:17, Arkadiusz Miśkiewicz wrote:
> > On Friday 11 of November 2016, Aki Tuomi wrote:
> >> If you are interested in testing, please find patch attached that allows
> >> you to specify
> >>
> >> local_name *.foo.bar {
> >> }
> >>
> >
On 11.11.2016 19:17, Arkadiusz Miśkiewicz wrote:
On Friday 11 of November 2016, Aki Tuomi wrote:
If you are interested in testing, please find patch attached that allows
you to specify
local_name *.foo.bar {
}
or
local_name *.*.foo.bar {
}
so basically you can now use certificate name mat
On Friday 11 of November 2016, Aki Tuomi wrote:
> If you are interested in testing, please find patch attached that allows
> you to specify
>
> local_name *.foo.bar {
> }
>
> or
>
> local_name *.*.foo.bar {
> }
>
> so basically you can now use certificate name matching rules for
> local_name.
On 11.11.2016 12:22, Arkadiusz Miśkiewicz wrote:
On Friday 11 of November 2016, Felipe Gasper wrote:
Hello,
We’re rolling out large SNI deployments for our mail servers. Each
domain
gets an entry like this in the config:
local_name mail.foo.com {
ssl_cert =
Lack of glob/regexp
> On Nov 11, 2016, at 5:36 AM, Aki Tuomi wrote:
>
> Hi!
>
> We are going to do some changes at some point how the certs are loaded and
> handled to alleviate this. The idea is not yet ripe, so I won't go into too
> much detail, but idea is to move the cert storage from protocol login
> proce
> On November 11, 2016 at 12:22 PM Arkadiusz Miśkiewicz wrote:
>
>
> On Friday 11 of November 2016, Felipe Gasper wrote:
> > Hello,
> >
> > We’re rolling out large SNI deployments for our mail servers. Each
> > domain
> > gets an entry like this in the config:
> >
> > local_name mail.foo
On Friday 11 of November 2016, Felipe Gasper wrote:
> Hello,
>
> We’re rolling out large SNI deployments for our mail servers. Each
> domain
> gets an entry like this in the config:
>
> local_name mail.foo.com {
> ssl_cert = ssl_key = }
Lack of glob/regexp support here is also a
On 11.11.2016 01:02, Felipe Gasper wrote:
Hello,
We’re rolling out large SNI deployments for our mail servers. Each
domain gets an entry like this in the config:
local_name mail.foo.com {
ssl_cert =
Unfortunately it's not possible now, it has been asked before though. We
have
Hello,
We’re rolling out large SNI deployments for our mail servers. Each
domain gets an entry like this in the config:
local_name mail.foo.com {
ssl_cert =
19 matches
Mail list logo