Hello,
We?re rolling out large SNI deployments for our mail servers. Each domain gets
an entry like this in the config:
local_name mail.foo.com {
ssl_cert = </ssl/domain_tls/*.foo.com/combined
ssl_key = </ssl/domain_tls/*.foo.com/combined
}
There are a couple problems we?re finding with this approach:
1) Dovecot wants to load everything at once, which has some machines taking up
many GiB of memory just for Dovecot. Is there any way to defer loading of an SSL
cert until a client actually requests it?
2) Any time we add or remove a domain, Dovecot?s SNI config matrix needs to be
rebuilt. Is there a way to handle SNI requests dynamically via some sort of
configuration plugin, so we wouldn?t need to rebuild the config on domain
add/remove? I looked through the docs but couldn?t see a way to do this.
Thank you in advance!
-Felipe Gasper
Mississauga, ON
On 11.11.2016 01:02, Felipe Gasper wrote:> Hello, > > We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: > > local_name mail.foo.com { > ssl_cert = </ssl/domain_tls/*.foo.com/combined > ssl_key = </ssl/domain_tls/*.foo.com/combined > } > > There are a couple problems we?re finding with this approach: > > 1) Dovecot wants to load everything at once, which has some machines taking up many GiB of memory just for Dovecot. Is there any way to defer loading of an SSL cert until a client actually requests it? > > 2) Any time we add or remove a domain, Dovecot?s SNI config matrix needs to be rebuilt. Is there a way to handle SNI requests dynamically via some sort of configuration plugin, so we wouldn?t need to rebuild the config on domain add/remove? I looked through the docs but couldn?t see a way to do this. > > Thank you in advance! > > -Felipe Gasper > Mississauga, ONUnfortunately it's not possible now, it has been asked before though. We have this feature request in our list but cannot give any date when it would be available. Aki Tuomi Dovecot oy
On Friday 11 of November 2016, Felipe Gasper wrote:> Hello, > > We?re rolling out large SNI deployments for our mail servers. Each domain > gets an entry like this in the config: > > local_name mail.foo.com { > ssl_cert = </ssl/domain_tls/*.foo.com/combined > ssl_key = </ssl/domain_tls/*.foo.com/combined > }Lack of glob/regexp support here is also a problem (for me). I could have 50% smaller config if local_name supported regexp matching, so it would be possible to do: local_name ^(pop3|imap)\.foo\.com { ... } or even with glob like *.foo.com matching.> > There are a couple problems we?re finding with this approach: > > 1) Dovecot wants to load everything at once, which has some machines taking > up many GiB of memory just for Dovecot. Is there any way to defer loading > of an SSL cert until a client actually requests it?No - thread here http://www.dovecot.org/list/dovecot/2016-October/105855.html Memory is one thing. The other is that dovecot stops accepting clients when huge config reload happens (I guess it's a design problem since it makes no sense to do that in any case. Clients should be processed without gap using old config until new config is loaded and ready to go). And third problem is that there is hardcoded 10s limit for reloading which in case thousands of certificates is way too short limit. Anyway if you hit that limit it's already lost case due to earlier problem.> > 2) Any time we add or remove a domain, Dovecot?s SNI config matrix needs to > be rebuilt. Is there a way to handle SNI requests dynamically via some > sort of configuration plugin, so we wouldn?t need to rebuild the config on > domain add/remove? I looked through the docs but couldn?t see a way to do > this.That's unavoidable for now :-( Here we started analyzing maillog and put into dovecot config only these ssl certs for domains that are actually used with TLS. It's very ugly and short- sighted approach but hopefuly proper solution will be implemented by dovecot team before all people start to use TLS.> Thank you in advance! > > -Felipe Gasper > Mississauga, ON-- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
> On November 11, 2016 at 12:22 PM Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > > On Friday 11 of November 2016, Felipe Gasper wrote: > > Hello, > > > > We?re rolling out large SNI deployments for our mail servers. Each domain > > gets an entry like this in the config: > > > > local_name mail.foo.com { > > ssl_cert = </ssl/domain_tls/*.foo.com/combined > > ssl_key = </ssl/domain_tls/*.foo.com/combined > > } > > Lack of glob/regexp support here is also a problem (for me). I could have 50% > smaller config if local_name supported regexp matching, so it would be > possible to do: > > local_name ^(pop3|imap)\.foo\.com { > ... > } > > or even with glob like *.foo.com matching. > > > > > There are a couple problems we?re finding with this approach: > > > > 1) Dovecot wants to load everything at once, which has some machines taking > > up many GiB of memory just for Dovecot. Is there any way to defer loading > > of an SSL cert until a client actually requests it? > > No - thread here http://www.dovecot.org/list/dovecot/2016-October/105855.html > > Memory is one thing. > > The other is that dovecot stops accepting clients when huge config reload > happens (I guess it's a design problem since it makes no sense to do that in > any case. Clients should be processed without gap using old config until new > config is loaded and ready to go). > > And third problem is that there is hardcoded 10s limit for reloading which in > case thousands of certificates is way too short limit. Anyway if you hit that > limit it's already lost case due to earlier problem. > > > > > 2) Any time we add or remove a domain, Dovecot?s SNI config matrix needs to > > be rebuilt. Is there a way to handle SNI requests dynamically via some > > sort of configuration plugin, so we wouldn?t need to rebuild the config on > > domain add/remove? I looked through the docs but couldn?t see a way to do > > this. > > That's unavoidable for now :-( > > Here we started analyzing maillog and put into dovecot config only these ssl > certs for domains that are actually used with TLS. It's very ugly and short- > sighted approach but hopefuly proper solution will be implemented by dovecot > team before all people start to use TLS. > > > Thank you in advance! > > > > -Felipe Gasper > > Mississauga, ON > > > -- > Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )Hi! We are going to do some changes at some point how the certs are loaded and handled to alleviate this. The idea is not yet ripe, so I won't go into too much detail, but idea is to move the cert storage from protocol login processes to elsewhere. The local_name matching can probably be fixed faster, it could use the same rules as matching cert names generally do. Aki
On 11.11.2016 12:22, Arkadiusz Mi?kiewicz wrote:> On Friday 11 of November 2016, Felipe Gasper wrote: >> Hello, >> >> We?re rolling out large SNI deployments for our mail servers. Each domain >> gets an entry like this in the config: >> >> local_name mail.foo.com { >> ssl_cert = </ssl/domain_tls/*.foo.com/combined >> ssl_key = </ssl/domain_tls/*.foo.com/combined >> } > Lack of glob/regexp support here is also a problem (for me). I could have 50% > smaller config if local_name supported regexp matching, so it would be > possible to do: > > local_name ^(pop3|imap)\.foo\.com { > ... > } > > or even with glob like *.foo.com matching. > >> There are a couple problems we?re finding with this approach: >> >> 1) Dovecot wants to load everything at once, which has some machines taking >> up many GiB of memory just for Dovecot. Is there any way to defer loading >> of an SSL cert until a client actually requests it? > No - thread here http://www.dovecot.org/list/dovecot/2016-October/105855.html > > Memory is one thing. > > The other is that dovecot stops accepting clients when huge config reload > happens (I guess it's a design problem since it makes no sense to do that in > any case. Clients should be processed without gap using old config until new > config is loaded and ready to go). > > And third problem is that there is hardcoded 10s limit for reloading which in > case thousands of certificates is way too short limit. Anyway if you hit that > limit it's already lost case due to earlier problem. > >> 2) Any time we add or remove a domain, Dovecot?s SNI config matrix needs to >> be rebuilt. Is there a way to handle SNI requests dynamically via some >> sort of configuration plugin, so we wouldn?t need to rebuild the config on >> domain add/remove? I looked through the docs but couldn?t see a way to do >> this. > That's unavoidable for now :-( > > Here we started analyzing maillog and put into dovecot config only these ssl > certs for domains that are actually used with TLS. It's very ugly and short- > sighted approach but hopefuly proper solution will be implemented by dovecot > team before all people start to use TLS. > >> Thank you in advance! >> >> -Felipe Gasper >> Mississauga, ON >If you are interested in testing, please find patch attached that allows you to specify local_name *.foo.bar { } or local_name *.*.foo.bar { } so basically you can now use certificate name matching rules for local_name. It made most sense. This should apply cleanly to 2.2.26.0. --- Aki Tuomi Dovecot oy -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-lib-dns-Add-DNS-specific-matching-algorithms.patch Type: text/x-patch Size: 4450 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20161111/e8b9ee41/attachment-0003.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-lib-dns-Add-tests-for-dns-util.patch Type: text/x-patch Size: 4020 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20161111/e8b9ee41/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-config-Match-local_name-using-dns-util.patch Type: text/x-patch Size: 1487 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20161111/e8b9ee41/attachment-0005.bin>