[BlueOnyx:23863] Is dovecot's SNI support planned?

Tomohiro Hosaka bokutin at gmail.com
Thu May 21 02:22:42 -05 2020


We are considering SNI support for dovecot for pops and imaps.

Specifically, it can be done with the following code.

# /etc/dovecot/conf.d/11-ssl-sni.conf
local_name system.fqdn {
    ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
    ssl_key =  </etc/pki/dovecot/private/dovecot.pem
% for my $vsite_fqdn (@vsite) {
local_name $vsite_fqdn {
    ssl_cert = </usr/sausalito/acme/certs/$vsite_fqdn/$vsite_fqdn.cer
    ssl_key =  </usr/sausalito/acme/certs/$vsite_fqdn/$vsite_fqdn.key
% }

Add this to /usr/sausalito/handlers/base/email/copy_certs.pl etc
I think that it can be supported by inserting an appropriate hook in

If SNI is not supported for pops and imaps, hostname verification
failed will occur unless system.fqdn is specified.
The owner of vsite I think it's cool is better to be without knowing
the system.fqdn.

There are various likes and dislikes of the trend of https conversion
and let's encrypt, but the mobile environment around us and MUA are
pressing us.


More information about the Blueonyx mailing list