[BlueOnyx:23885] Re: Is dovecot's SNI support planned?

Michael Stauber mstauber at blueonyx.it
Fri May 22 21:32:36 -05 2020 

Hi all,

> There might actually be an easier approach that would also allow us to
> retain Sendmail and *still* get SNI support.
> 
> By using Nginx as email proxy:
> 
> https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/

I've had a chance to play around with this today and I'd say: I'm not
entirely impressed. It's a nice experiment, but the practicality lies in
the eyes of the beholder.

Here is what I did for my testing: I set Dovecot and Sendmail to only
bind to ::1 (IPv6 localhost) and configured Nginx to handle anything
email related and to proxy incoming emails to ::1 port 25 and to proxy
POP3 and IMAP to Dovecot on ::1 and the respective ports.

In general I got it working, but like anything proxy related you run
into the usual issues: In /var/log/maillog the transactions were logged
as coming from ::1 and didn't show the real IP of the originating sender.

For email there isn't an easy proxy_pass directive. An intermediary
script that you need to provide yourself handles authentication and what
information is passed to the backend services. I got it working in so
far it finally would eventually pass the real IP, but even then the
whole contraption in itself just didn't feel right.

A regular MTA also can do email pipelining (which Nginx as mail proxy
cannot do) and the next "dead on arrival" aspect is that Nginx can bind
to port 25 either as plain-text or as TLS service. It can't handle
plain-text and TLS on the same port.

The final aspect is that the script that handles authentication needs to
be very well thought out to prevent exploits or abuse. I'm fairly
certain that given enough time I could get it right.

Yet: I feel the approach to use Nginx as email proxy to enable SNI
support isn't the right choice for us.

Example: In order to make sure email can flow in you need not only
Sendmail running, but also Nginx, AdmServ and CCEd, because the
authentication script runs off AdmServ and has calls to CCEd for the
user data.

Instead of making things easier it adds more complexity and friction and
I don't like that.

So: That idea is dead.

However: I will now look into modifying Dovecot to allow SNI out of the box.

That will bring us closer to the finishing line of providing SNI for all
email related services and leaves only Sendmail out of the mix. That can
then be addressed by whatever means necessary at a later point in time.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list