[BlueOnyx:23888] Re: Is dovecot's SNI support planned?

Tomohiro Hosaka bokutin at bokut.in
Fri May 22 23:57:07 -05 2020


Hi Michael,

> Instead of making things easier it adds more complexity and friction 
> and
> I don't like that.

I think so too.

postfix seems to have good SNI support.
http://www.postfix.org/TLS_README.html

However, I understand that replacing sendmail requires a lot of work.

Thanks,


On 2020-05-23 11:32, Michael Stauber wrote:
> Hi all,
> 
>> There might actually be an easier approach that would also allow us to
>> retain Sendmail and *still* get SNI support.
>> 
>> By using Nginx as email proxy:
>> 
>> https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/
> 
> I've had a chance to play around with this today and I'd say: I'm not
> entirely impressed. It's a nice experiment, but the practicality lies 
> in
> the eyes of the beholder.
> 
> Here is what I did for my testing: I set Dovecot and Sendmail to only
> bind to ::1 (IPv6 localhost) and configured Nginx to handle anything
> email related and to proxy incoming emails to ::1 port 25 and to proxy
> POP3 and IMAP to Dovecot on ::1 and the respective ports.
> 
> In general I got it working, but like anything proxy related you run
> into the usual issues: In /var/log/maillog the transactions were logged
> as coming from ::1 and didn't show the real IP of the originating 
> sender.
> 
> For email there isn't an easy proxy_pass directive. An intermediary
> script that you need to provide yourself handles authentication and 
> what
> information is passed to the backend services. I got it working in so
> far it finally would eventually pass the real IP, but even then the
> whole contraption in itself just didn't feel right.
> 
> A regular MTA also can do email pipelining (which Nginx as mail proxy
> cannot do) and the next "dead on arrival" aspect is that Nginx can bind
> to port 25 either as plain-text or as TLS service. It can't handle
> plain-text and TLS on the same port.
> 
> The final aspect is that the script that handles authentication needs 
> to
> be very well thought out to prevent exploits or abuse. I'm fairly
> certain that given enough time I could get it right.
> 
> Yet: I feel the approach to use Nginx as email proxy to enable SNI
> support isn't the right choice for us.
> 
> Example: In order to make sure email can flow in you need not only
> Sendmail running, but also Nginx, AdmServ and CCEd, because the
> authentication script runs off AdmServ and has calls to CCEd for the
> user data.
> 
> Instead of making things easier it adds more complexity and friction 
> and
> I don't like that.
> 
> So: That idea is dead.
> 
> However: I will now look into modifying Dovecot to allow SNI out of the 
> box.
> 
> That will bring us closer to the finishing line of providing SNI for 
> all
> email related services and leaves only Sendmail out of the mix. That 
> can
> then be addressed by whatever means necessary at a later point in time.


More information about the Blueonyx mailing list