On 11.11.2016 12:22, Arkadiusz Mi?kiewicz wrote:> On Friday 11 of November 2016, Felipe Gasper wrote:
>> Hello,
>>
>> We?re rolling out large SNI deployments for our mail servers. Each
domain
>> gets an entry like this in the config:
>>
>> local_name mail.foo.com {
>> ssl_cert = </ssl/domain_tls/*.foo.com/combined
>> ssl_key = </ssl/domain_tls/*.foo.com/combined
>> }
> Lack of glob/regexp support here is also a problem (for me). I could have
50%
> smaller config if local_name supported regexp matching, so it would be
> possible to do:
>
> local_name ^(pop3|imap)\.foo\.com {
> ...
> }
>
> or even with glob like *.foo.com matching.
>
>> There are a couple problems we?re finding with this approach:
>>
>> 1) Dovecot wants to load everything at once, which has some machines
taking
>> up many GiB of memory just for Dovecot. Is there any way to defer
loading
>> of an SSL cert until a client actually requests it?
> No - thread here
http://www.dovecot.org/list/dovecot/2016-October/105855.html
>
> Memory is one thing.
>
> The other is that dovecot stops accepting clients when huge config reload
> happens (I guess it's a design problem since it makes no sense to do
that in
> any case. Clients should be processed without gap using old config until
new
> config is loaded and ready to go).
>
> And third problem is that there is hardcoded 10s limit for reloading which
in
> case thousands of certificates is way too short limit. Anyway if you hit
that
> limit it's already lost case due to earlier problem.
>
>> 2) Any time we add or remove a domain, Dovecot?s SNI config matrix
needs to
>> be rebuilt. Is there a way to handle SNI requests dynamically via some
>> sort of configuration plugin, so we wouldn?t need to rebuild the config
on
>> domain add/remove? I looked through the docs but couldn?t see a way to
do
>> this.
> That's unavoidable for now :-(
>
> Here we started analyzing maillog and put into dovecot config only these
ssl
> certs for domains that are actually used with TLS. It's very ugly and
short-
> sighted approach but hopefuly proper solution will be implemented by
dovecot
> team before all people start to use TLS.
>
>> Thank you in advance!
>>
>> -Felipe Gasper
>> Mississauga, ON
>
If you are interested in testing, please find patch attached that allows
you to specify
local_name *.foo.bar {
}
or
local_name *.*.foo.bar {
}
so basically you can now use certificate name matching rules for
local_name. It made most sense.
This should apply cleanly to 2.2.26.0.
---
Aki Tuomi
Dovecot oy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-lib-dns-Add-DNS-specific-matching-algorithms.patch
Type: text/x-patch
Size: 4450 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161111/e8b9ee41/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-lib-dns-Add-tests-for-dns-util.patch
Type: text/x-patch
Size: 4020 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161111/e8b9ee41/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-config-Match-local_name-using-dns-util.patch
Type: text/x-patch
Size: 1487 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161111/e8b9ee41/attachment-0005.bin>