Hi! We are indeed listening. And Dovecot actually can check the name on the certificate, if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_cert Aki > On 16/05/2023 14:58 EEST Sean Gallagher <s...@teletech.com.au> wrote: > > > It gets worse! If you request a client certificate, Dovecot will not > check the name on the certificate, only that it is signed by a known CA. > I raised this issue on this list some time ago and got no response. I'm > not sure anyone is listening. > > On 16/05/2023 7:54 pm, Serg via dovecot wrote: > > I would like to offer to implement a feature to reject SSL handshakes > > for a default certificate-key pair for efficiently discarding bot > > requests (i.e. such requests that provide invalid/not configured > > hostname or do not specify at all, like when doing request to the IP > > address directly). > > > > Nginx has such feature already implemented as seen here[1], and it > > would be beneficial if dovecot would support this too. > > > > Currently I am using the following SSL configuration snippet to mimic > > such behavior: > > > >> ssl_cert = </etc/ssl/dovecot/server.crt > >> ssl_key = </etc/ssl/dovecot/server.key > >> > >> local_name flopster.at.encryp.ch { ssl_cert = > >> </etc/ssl/domains/flopster.at.encryp.ch/fullchain > >> ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key > >> } > > > > But in this case the problem is that the invalid requests (for this > > example it is requests that don't have Server Name Indication at all > > or mention anything else but not flopster.at.encryp.ch) are still > > being replied by Dovecot with a TLS certificate rather than being > > simply rejected with a TLSV1_UNRECOGNIZED_NAME error code. > > > > [1]: > > <https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake> > > _______________________________________________ > > dovecot mailing list -- dovecot@dovecot.org > > To unsubscribe send an email to dovecot-le...@dovecot.org > > -- > This email has been checked for viruses by AVG antivirus software. > www.avg.com > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
