Re: TLS communication director -> backend with X.509 cert checks?

> On 15 Oct 2015, at 00:28, Heiko Schlittermann wrote: > > Hi Timo > > Heiko Schlittermann (Mi 14 Okt 2015 01:10:20 CEST): > … >> Ah, the information comes from the other director running. The other one >> is using an unpatched version of dovecot.

Re: TLS communication director -> backend with X.509 cert checks?

Hi Timo Heiko Schlittermann (Mi 14 Okt 2015 01:10:20 CEST): … > Ah, the information comes from the other director running. The other one > is using an unpatched version of dovecot. Your patch for backend-certificate verification works. Thank you for the good and fast

Re: TLS communication director -> backend with X.509 cert checks?

On 13 Oct 2015, at 22:18, Heiko Schlittermann wrote: > > Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): > … >>> On connection setup from a client the director connects to the >>> selected backend. But it seems (not checked in the source yet), >>> that for SSL

Re: TLS communication director -> backend with X.509 cert checks?

Timo Sirainen (Di 13 Okt 2015 21:36:40 CEST): … > > I see: > > > >a) pass the host *names* to the director too, for CN verification > > purpose > > > > May be in struct mail_host could be a field for the original > > hostname we used to obtain the adress(es)?

Re: TLS communication director -> backend with X.509 cert checks?

Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): > > the IP address the director connects to. > > Right. The hostnames are lost immediately at director startup. I've never > really thought about needing this functionality for director, since they're > usually in the same trusted

Re: TLS communication director -> backend with X.509 cert checks?

Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): … > > On connection setup from a client the director connects to the > > selected backend. But it seems (not checked in the source yet), > > that for SSL certificate verification the director doesn't know the > > original host name

Re: TLS communication director -> backend with X.509 cert checks?

> On 13 Oct 2015, at 22:21, Heiko Schlittermann wrote: > > Timo Sirainen (Di 13 Okt 2015 21:02:59 CEST): >>> the IP address the director connects to. >> >> Right. The hostnames are lost immediately at director startup. I've never >> really thought about

Re: TLS communication director -> backend with X.509 cert checks?

On 13 Oct 2015, at 21:44, Heiko Schlittermann wrote: > > Hello, > > using Dovecot 2.2.9 and a setup with directors and backends. > The communication between directors and backends needs to be TLS > secured. > > The director config contains a list of hostnames for the

TLS communication director -> backend with X.509 cert checks?

Hello, using Dovecot 2.2.9 and a setup with directors and backends. The communication between directors and backends needs to be TLS secured. The director config contains a list of hostnames for the backends. (implicit list because of multiple A/ records for a single hostname or explicit

Re: TLS communication director -> backend with X.509 cert checks?

Timo Sirainen (Di 13 Okt 2015 23:49:20 CEST): … > > Proxying in general does check that hostname matches the SSL certificate, > because both the hostname and IP address are sent to login process. So it > should work in a way that host= and hostip= is sent. I thought > my patch

Re: TLS communication director -> backend with X.509 cert checks?

Hi Timo, Heiko Schlittermann (Di 13 Okt 2015 22:33:23 CEST): > > Does the attached patch work? Compiles, but untested. > I'm about to test it. It seems to update the struct mail_host, but it looks as if the data in mail_host do not propagate down to login_proxy_new().

Re: TLS communication director -> backend with X.509 cert checks?

On 14 Oct 2015, at 00:34, Heiko Schlittermann wrote: > > Hi Timo, > > Heiko Schlittermann (Di 13 Okt 2015 22:33:23 CEST): >>> Does the attached patch work? Compiles, but untested. >> I'm about to test it. > > It seems to update the struct

Re: TLS communication director -> backend with X.509 cert checks?

Heiko Schlittermann (Mi 14 Okt 2015 00:10:50 CEST): > Timo Sirainen (Di 13 Okt 2015 23:49:20 CEST): > … > > > > Proxying in general does check that hostname matches the SSL certificate, > > because both the hostname and IP address are sent to login process.

Re: TLS communication director -> backend with X.509 cert checks?

Heiko Schlittermann (Mi 14 Okt 2015 00:46:11 CEST): … > > And if I add -D to the director service, I can see "Debug: request > refreshed timeout to …", > but never I see "Debug: request added". And from what I > understand this would be the place where the mail_host