> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any variables ( >> http://wiki.dovecot.org/Variables ). Please consider this to be a feature >> request. >> >> The goal is to be able to see which hostname client used like: >> >> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, method=PLAIN, >> rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, SNI=pop3.somehost.org, >> session=<hfS9Qwk03sBTBnrN> > > Dear dovecot team, would be possible to add such variable ^^^^^ ? > > That would be neat feature because server operator would know what hostname > client uses to connect to server (which is really usefull in case of many > hostnames pointing to single IP).I?d love to be able to use this SNI domain name in the Dovecot IMAP proxy for use in the SQL password_query. This would allow the proxy to support multiple IMAP server domains each with their own set of users. And, it would save me money by using only the IP of the proxy for all the IMAP server domains instead of giving each domain a unique IP. Kevin
On Monday 17 of October 2016, KT Walrus wrote:> > On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >> Is there a way to log SNI hostname used in TLS session? Info is there in > >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to > >> ssl_io->host. > >> > >> Unfortunately I don't see it expanded to any variables ( > >> http://wiki.dovecot.org/Variables ). Please consider this to be a > >> feature request. > >> > >> The goal is to be able to see which hostname client used like: > >> > >> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, > >> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, > >> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> > > > > Dear dovecot team, would be possible to add such variable ^^^^^ ? > > > > That would be neat feature because server operator would know what > > hostname client uses to connect to server (which is really usefull in > > case of many hostnames pointing to single IP). > > I?d love to be able to use this SNI domain name in the Dovecot IMAP proxy > for use in the SQL password_query. This would allow the proxy to support > multiple IMAP server domains each with their own set of users. And, it > would save me money by using only the IP of the proxy for all the IMAP > server domains instead of giving each domain a unique IP.It only needs to be carefuly implemented on dovecot side as TLS SNI hostname is information passed directly by client. So some fqdn name validation would need to happen in case if client has malicious intents.> Kevin-- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote:> On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>> ssl_io->host. >>>> >>>> Unfortunately I don't see it expanded to any variables ( >>>> http://wiki.dovecot.org/Variables ). Please consider this to be a >>>> feature request. >>>> >>>> The goal is to be able to see which hostname client used like: >>>> >>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, >>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, >>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> >>> Dear dovecot team, would be possible to add such variable ^^^^^ ? >>> >>> That would be neat feature because server operator would know what >>> hostname client uses to connect to server (which is really usefull in >>> case of many hostnames pointing to single IP). >> I?d love to be able to use this SNI domain name in the Dovecot IMAP proxy >> for use in the SQL password_query. This would allow the proxy to support >> multiple IMAP server domains each with their own set of users. And, it >> would save me money by using only the IP of the proxy for all the IMAP >> server domains instead of giving each domain a unique IP. > It only needs to be carefuly implemented on dovecot side as TLS SNI hostname > is information passed directly by client. > > So some fqdn name validation would need to happen in case if client has > malicious intents. > >> Kevin >Hi! I wonder if this would be of any help? It provides %{local_name} passdb/userdb variable, you can use it for some logging too... https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5eddd72 Aki