Re: TLS communication director -> backend with X.509 cert checks?

Tue, 13 Oct 2015 15:47:23 -0700 

Heiko Schlittermann <h...@schlittermann.de> (Mi 14 Okt 2015 00:10:50 CEST):
> Timo Sirainen <t...@iki.fi> (Di 13 Okt 2015 23:49:20 CEST):
> …
> > 
> > Proxying in general does check that hostname matches the SSL certificate, 
> > because both the hostname and IP address are sent to login process. So it 
> > should work in a way that host=<hostname> and hostip=<ip> is sent. I 
> > thought my patch did that.. Normally auth_debug=yes would be enough to 
> > debug this, but this happens between director and login process so I don't 
> > think it's going to be of much use. login process's 
> > client_auth_parse_args() is what should see these two parameters correctly.
> > 
> > I can check this further tomorrow.
> 
> I've put an i_warning("*** %s: ...", __FUNCTION__, ...) into several places.
> 
> Oct 14 00:02:33 director1 dovecot: director: Warning: *** 
> login_host_callback: 
> OK#0112#011user=foo#011proxy#011ssl=yes#011nopassword=y#011lip=2001:x.y:f33::5:1#011lport=993#011pass=x#011proxy_refresh=450#011host=2001:x.y:f33::5:fe
> 
> Here it seems that the director doesn't send it's knowledge about the
> hostname.
> 
> Here some other output, to show that the host list contains names and 
> addresses:
> 
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added 
> backends.<domain> [2001:x.y:f33::5:fe]
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added 
> backends.<domain> [2001:x.y:f33::5:ff]
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added 
> backends.<domain> [149.x.y.103]
> Oct 14 00:02:32 director1 dovecot: director: Warning: ** mail_host_add: added 
> backends.<domain> [149.x.y.102]

And if I add -D to the director service, I can see "Debug: request <hash> 
refreshed timeout to …",
but never I see "Debug: request <hash> added".  And from what I
understand this would be the place where the mail_host info comes into
the game. 

But probably I do not understand how director_request_continue() is
supposed to work.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Attachment: signature.asc
Description: Digital signature

Reply via email to