similar to: Proxying, pertinent values and features, SNI

On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30

On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>>

Hello, We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: local_name mail.foo.com { ssl_cert = </ssl/domain_tls/*.foo.com/combined ssl_key = </ssl/domain_tls/*.foo.com/combined } There are a couple problems we?re finding with this approach: 1) Dovecot wants to load everything at once, which has some machines taking

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key =

Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name

Hi, I recognised some funny behaviour on my server. IMAP clients which won't send an Server Name Indication (SNI) sometimes get the wrong certificate. I would expect that those clients always get the default certificate (of my new domain), instead in about 20 to 50% of connections the certificate of my old domain will be presented. (sample rate was 3 times 30 connections) Clients sending SNI

Hello, does local_name in TLS SNI context support regex? for example: local_name example-(foo|bar).com { ssl_cert = </var/lib/dehydrated/certs/example.com/fullchain.pem ssl_key = </var/lib/dehydrated/certs/example.com/privkey.pem } Best regards

Hello, I've just finished transiting our proxies from perdition to dovecot (2.1.7-7 Debian). Yesterday 12 messages (all within the same second) like this caught my attention: --- Apr 25 17:19:09 pp11 dovecot: auth: Warning: proxy(redacted at gol.com,xx.xx.xx.xx,<26hUEivbfQBlMrMS>): DNS lookup for mb04.dentaku.gol.com took 5.002 s --- Now this machine at that time was handling a load

Hello, The users here have been migrated to the new mail system with dovecot 0.99.10.5 (Debian package) on the backends. Storage is maildir, only pop3 access for now. I see very seldom occurrences (compared to the session wide pop lock of qpopper on the old system) like this: --- Jun 16 14:35:52 mb01 pop3(user at gol.com): Timeout while waiting for release of exclusive fcntl() lock for index

> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >> Is there a way to log SNI hostname used in TLS session? Info is there in >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >> ssl_io->host. >> >> Unfortunately I don't see it expanded to any

On 11.11.2016 19:17, Arkadiusz Mi?kiewicz wrote: > On Friday 11 of November 2016, Aki Tuomi wrote: > >> If you are interested in testing, please find patch attached that allows >> you to specify >> >> local_name *.foo.bar { >> } >> >> or >> >> local_name *.*.foo.bar { >> } >> >> so basically you can now use certificate

On 11.11.2016 12:22, Arkadiusz Mi?kiewicz wrote: > On Friday 11 of November 2016, Felipe Gasper wrote: >> Hello, >> >> We?re rolling out large SNI deployments for our mail servers. Each domain >> gets an entry like this in the config: >> >> local_name mail.foo.com { >> ssl_cert = </ssl/domain_tls/*.foo.com/combined >> ssl_key =

Hello, even though Timo seems to be hibernating (it's not _that_ cold in ole Suomi ;) I'd like to beg for a feature that would be very much appreciated over here. If something like this is already present and eluded my thorough archive and doc searches, feel free to smack me and then point me to the right direction. Feature request: More extensive session information and statistics in

Sure, and thanks for trying to help! These are the two correct answers when SNI is included. The certificates are fully chained. Both certificates carry the same subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN). X509v3 Subject Alternative Name:? ? DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at, DNS:pop.cs.sbg.ac.at X509v3 Subject Alternative Name:? ?

Thanks for the info. I do have one further question for you. On your servers that are currently handling 50k IMAP sessions, how many users does that correspond to? Since many users will have multiple IMAP sessions on multiple devices, I?d like to hear about some real-world numbers that could be used for budgeting a new project like mine. Also, do you use Dovecot IMAP proxies in front of your

thanks for your help happy to say that the performance dramatically improved after i use the high performance settings from here http://wiki.dovecot.org/LoginProcess grep Login: /var/log/mail.log.1 |wc -l with the mail.log being of a typical, busy day. 412992 i also picked up the imap and pop3 connections during peak hours [root at ns1 domains]# doveadm who | awk

christian the servers i currently own are dell servers. The servers i plan to buy are Dell R530, 2U rack servers with 8 x 3.5 inch drives, with 64 gb ram each, Hardware raid. I am thinking of 2 X 300 gb ssds raid1 and 6 x 2 tb drives in raid10 for data. I do not have any experience in setting up drdb (that would be my next step) ... primarily using standalone servers with hardware level

https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz.sig ??? - charset_alias: compile fails with Solaris Studio, reported by ??? ? John Woods. ??? - Fix local name handling in v2.2.34 SNI code, bug found by cPanel. ??? - imapc: Don't try to add mails to index if they already exist there. ??? - imapc: If email is modified in

https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz.sig ??? - charset_alias: compile fails with Solaris Studio, reported by ??? ? John Woods. ??? - Fix local name handling in v2.2.34 SNI code, bug found by cPanel. ??? - imapc: Don't try to add mails to index if they already exist there. ??? - imapc: If email is modified in

On Wednesday 21 of March 2018, Arkadiusz Mi?kiewicz wrote: > On Monday 19 of March 2018, Aki Tuomi wrote: > > https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz > > https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz.sig > > [...] > > > - Fix local name handling in v2.2.34 SNI code, bug found by cPanel. > > That change broke handling of such