[BlueOnyx:23869] Re: Is dovecot's SNI support planned?

Thu May 21 15:39:42 -05 2020

Hi Tomohiro Hosaka,

> We are considering SNI support for dovecot for pops and imaps.

Ooooh, that's sweet! Many thanks for bringing *this* to my attention. I
wasn't aware that Dovecot finally has SNI support.

> Specifically, it can be done with the following code.
> 
> # /etc/dovecot/conf.d/11-ssl-sni.conf
> local_name system.fqdn {
>     ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
>     ssl_key =  </etc/pki/dovecot/private/dovecot.pem
> }
> % for my $vsite_fqdn (@vsite) {
> local_name $vsite_fqdn {
>     ssl_cert = </usr/sausalito/acme/certs/$vsite_fqdn/$vsite_fqdn.cer
>     ssl_key =  </usr/sausalito/acme/certs/$vsite_fqdn/$vsite_fqdn.key
> }
> % }
> 
> Add this to /usr/sausalito/handlers/base/email/copy_certs.pl etc
> I think that it can be supported by inserting an appropriate hook in
> /usr/sausalito/conf/base/email/email.conf.

Yeah, something like that will generally work. There are a few details
where some extra steps might be needed, but in principle it should work.

> There are various likes and dislikes of the trend of https conversion
> and let's encrypt, but the mobile environment around us and MUA are
> pressing us.

Yes, indeed. I'm really looking forward to add SNI support to our email
related services. The problem of course being Sendmail. Postfix has SNI
support (more or less), but I'm not tempted to rip out Sendmail and
throw Postfix into productive servers as a YUM update. Because that
mightily rocks the boat and would be an invitation for desaster.

> I found the description of dane_tlsa_sni in
> ftp://ftp.sendmail.org/pub/sendmail/snapshots
> /sendmail.8.16.0.48.tar.gz.
>
> It may support it.

I just looked at it by grabbing the tarball and running a search on
"sni". I see what you mean.

I searched Google groups for it:

https://groups.google.com/forum/#!searchin/comp.mail.sendmail/SNI%7Csort:date

The only recent mention (from 2018) was the question about if and when
SNI support might be available and there wasn't an answer.

What I gather from this message ...

https://groups.google.com/forum/#!topic/comp.mail.sendmail/pZiNXfNmqAQ

... and various other is that DANE and DNSSEC support is finally making
it into Sendmail. But that's not SNI.

I'll dig a bit further into this in the next few days.

In the short haul we will get SNI support integrated into Dovecot. Once
that's done I'll step back and will think long and hard what we can do
to get SNI support for SMTP. It may mean that we (after all) might have
to switch 5210R to Postfix.

However, *if* that's the case, then I'll not publish that as a mandatory
update. Instead it'll be included in new installs as new default and
older installs that still use Sendmail can be converted if needed (and
at the server owners leizure) via a small procedure or a switch in the GUI.

Anyway: I'll look into it.

MANY thanks for bringing this to my attention!

-- 
With best regards

Michael Stauber