dovecot - Oct 2021 - SNI via lookup?

On 2021-10-08 00:37, Felipe Gasper wrote:
>>> Dovecot call out to some external service to fetch a given domain?s
>>> certificate.
>> 
>> sni is something no one needs, your server name is not changing if you 
>> got a new custommer
> 
> Rest assured, it?s of great use to us.
complexity cost nothing maybe
> I?m just asking if there?s a way to configure it dynamically,
> similarly to how authn can be configured.
sni is not dynamicly secure

https://dovecot.org/pipermail/dovecot/2013-December/094214.html
> Thank you!
no problem on suggest more complexity to users / admins that want it

> On Oct 7, 2021, at 7:47 PM, Benny Pedersen <me at junc.eu> wrote:
> 
> On 2021-10-08 00:37, Felipe Gasper wrote:
>>>> Dovecot call out to some external service to fetch a given
domain?s
>>>> certificate.
>>> sni is something no one needs, your server name is not changing if
you got a new custommer
>> Rest assured, it?s of great use to us.
> 
> complexity cost nothing maybe
Enh, we already have the complexity because of web hosting. It?s not much more
to teach Dovecot to use the certs that httpd uses.
> sni is not dynamicly secure
> 
> https://dovecot.org/pipermail/dovecot/2013-December/094214.html
SNI?s security problem is that the server name is sent unencrypted. This isn?t
really of much concern for mail, though.

Of note, this thread predates the wide public availability of free certificates.
We already have logic that re-issues a certificate when domain configurations
change; in fact, the overhead of rebuilding Dovecot?s configuration is part of
what I?d like to minimize.

-FG