similar to: v2.2.35 released

On Wednesday 21 of March 2018, Arkadiusz Mi?kiewicz wrote: > On Monday 19 of March 2018, Aki Tuomi wrote: > > https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz > > https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz.sig > > [...] > > > - Fix local name handling in v2.2.34 SNI code, bug found by cPanel. > > That change broke handling of such

On Monday 19 of March 2018, Aki Tuomi wrote: > https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.35.tar.gz.sig [...] > - Fix local name handling in v2.2.34 SNI code, bug found by cPanel. That change broke handling of such entries local_name *.example.com { ssl_cert = </etc/certs/aaa.pem ssl_key = </etc/certs/aaa.pem }

Thank you, we'll start looking at this. Aki On 01.12.2016 09:44, J. Nick Koston wrote: > Hi Aki & Felipe, > > Attached is an implementation of supporting multiple domains in local_name. > > Example > > local_name "mail.domain.tld domain.tld mx.domain.tld" { ... } > > This can significantly reduce memory usage when using > a UCC certificate with

Aki, Multiple local_names would be ideal to accommodate certificates that have multiple names. The way I?m reading the code it looks like its having to pay for the memory for every name on the certificate because a unique CTX is being created for each name even if they are all on a single certificate. This would be a big memory win for anyone using a certificate with multiple names on it.

Hello, We?re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config: local_name mail.foo.com { ssl_cert = </ssl/domain_tls/*.foo.com/combined ssl_key = </ssl/domain_tls/*.foo.com/combined } There are a couple problems we?re finding with this approach: 1) Dovecot wants to load everything at once, which has some machines taking

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key =

On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30

On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>>

On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot <dovecot at dovecot.org> wrote: > > On 21.11.2019 23.57, Marc Roos via dovecot wrote: > > Is it possible to configure a network for a cert instead of an ip? > > > > Something like this: > > > > local 192.0.2.0 { > > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem > >

On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > On 27/11/2019 21:28 Mark Moseley via dovecot <dovecot at dovecot.org> > wrote: > > > > > > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot < > dovecot at dovecot.org> wrote: > > > > > > On 21.11.2019 23.57, Marc Roos via dovecot

Hi, I recognised some funny behaviour on my server. IMAP clients which won't send an Server Name Indication (SNI) sometimes get the wrong certificate. I would expect that those clients always get the default certificate (of my new domain), instead in about 20 to 50% of connections the certificate of my old domain will be presented. (sample rate was 3 times 30 connections) Clients sending SNI

Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name

Hello, I'm looking into deploying dovecot as a proxy, currently using perdition. Have been using dovecot on the actual servers for years, nearly a decade. So far just 1.x, but for the proxy it will have to be 2.x (2.1.7 is the current Debian version), as the trigger for this change is the need to support multiple SSL certificates. All that happens on the proxy seems to be handled by the

On 11.11.2016 19:17, Arkadiusz Mi?kiewicz wrote: > On Friday 11 of November 2016, Aki Tuomi wrote: > >> If you are interested in testing, please find patch attached that allows >> you to specify >> >> local_name *.foo.bar { >> } >> >> or >> >> local_name *.*.foo.bar { >> } >> >> so basically you can now use certificate

https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig * CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses

https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.34.tar.gz.sig * CVE-2017-15130: TLS SNI config lookups may lead to excessive memory usage, causing imap-login/pop3-login VSZ limit to be reached and the process restarted. This happens only if Dovecot config has local_name { } or local { } configuration blocks and attacker uses

Hello, does local_name in TLS SNI context support regex? for example: local_name example-(foo|bar).com { ssl_cert = </var/lib/dehydrated/certs/example.com/fullchain.pem ssl_key = </var/lib/dehydrated/certs/example.com/privkey.pem } Best regards

I want to supply separate Letsencrypt certificates for each virtual domain and seeing that SNI does not work I need to allocate separate IPs. Could anyone give some pointers, or keywords to search for, on... a) how to make dovecot listen for different domains on different IPs? b) how to configure separate SSL certs for each of these IPs?

> On 19 Jan 2016, at 16:04, Nikolaos Milas <nmilas at noa.gr> wrote: > > On 19/1/2016 3:31 ??, Timo Sirainen wrote: > >> Change it the other way around: >> >> remote 127.0.0.1 { >> protocol imap { >> ... >> } >> } > > Thank you for your advice Timo (on "remote" blocks). > > So, the "remote"

One step further in my quest to create a replacement mail server. I now have my old mail server (2.3.19.1, macOS + MacPorts) and my new (2.3.20, Alpine Linux, Docker, apk package). When I turn on replication it works, but, after a while I see: Jan 06 00:50:31 replicator: Panic: data stack: Out of memory when allocating 268435496 bytes Jan 06 00:50:32 replicator: Fatal: master: