dovecot - Oct 2015 - TLS communication director -> backend with X.509 cert checks?

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:36:40 CEST):
?
> > I see:
> > 
> >    a) pass the host *names* to the director too, for CN verification
> >       purpose
> > 
> >       May be in struct mail_host could be a field for the original
> >       hostname we used to obtain the adress(es)?
> 
> Does the attached patch work? Compiles, but untested.
I'm about to test it.

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151013/dd1fd0e3/attachment.sig>

Hi Timo,

Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23
CEST):
> > Does the attached patch work? Compiles, but untested.
> I'm about to test it.
It seems to update the struct mail_host, but it looks as if the data 
in mail_host do not propagate down to login_proxy_new(). 

In other words, in login_proxy_new() set->host contains the IP address,
correctly, because the director choose it, but where can I find the
hostname there? And we need a way to pass the host*name* further, to the
SSL verifcation step, don't we?

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20151013/7c7f18a3/attachment.sig>

On 14 Oct 2015, at 00:34, Heiko Schlittermann <hs at schlittermann.de>
wrote:
> 
> Hi Timo,
> 
> Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23
CEST):
>>> Does the attached patch work? Compiles, but untested.
>> I'm about to test it.
> 
> It seems to update the struct mail_host, but it looks as if the data 
> in mail_host do not propagate down to login_proxy_new(). 
> 
> In other words, in login_proxy_new() set->host contains the IP address,
> correctly, because the director choose it, but where can I find the
> hostname there? And we need a way to pass the host*name* further, to the
> SSL verifcation step, don't we?
Proxying in general does check that hostname matches the SSL certificate,
because both the hostname and IP address are sent to login process. So it should
work in a way that host=<hostname> and hostip=<ip> is sent. I
thought my patch did that.. Normally auth_debug=yes would be enough to debug
this, but this happens between director and login process so I don't think
it's going to be of much use. login process's client_auth_parse_args()
is what should see these two parameters correctly.

I can check this further tomorrow.