RE: Cert for ip range?
How can I bind the managesieve to the internal use network/interface? service managesieve-login { inet_listener sieve { address = 192.168.10.0/24 port = 4190 } -Original Message- From: Mark Moseley via dovecot [mailto:dovecot@dovecot.org] Sent: woensdag 27 november 2019 22:06 To: Aki Tuomi Cc: Mark Moseley via dovecot Subject: Re: Cert for ip range? On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi wrote: > On 27/11/2019 21:28 Mark Moseley via dovecot wrote: > > > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot wrote: > > > > On 21.11.2019 23.57, Marc Roos via dovecot wrote: > > > Is it possible to configure a network for a cert instead of an ip? > > > > > > Something like this: > > > > > > local 192.0.2.0 { > > > ssl_cert = > > ssl_key = > > } > > > > > > Or > > > > > > local 192.0.2.0/24 (http://192.0.2.0/24) { > > > ssl_cert = > > ssl_key = > > } > > > > > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > > > > > > > > > > > > Local part supports that. > > > > Aki > > > On the same topic (though I can start a new thread if preferable), it doesn't appear that you can use wildcards/patterns in the 'local' name, unless I'm missing something--which is quite likely. > > If it's not possible currently, can I suggest adding that as a feature? That is, instead of having to list out all the various SNI hostnames that a cert should be used for (e.g. "local pop3.example.com (http://pop3.example.com) imap.example.com (http://imap.example.com) pops.example.com (http://pops.example.com) pop.example.com (http://pop.example.com) {" -- and on and on), it'd be handy to be able to just say "local *.example.com (http://example.com) {" and call it a day. I imagine there'd be a bit of a slowdown, since you'd have to loop through patterns on each connection (instead of what I assume is a hash lookup), esp for people with significant amounts of 'local's. > Actually that is supported, but you need to use v2.2.35 or later. Ha, it literally *never* fails (that there's some option I've overlooked 10 times, before asking on the list) 'local' vs 'local_name'. Never noticed the difference before in the docs. Might be worth adding a blurb in https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name' takes '*'-style wildcard (at least in the beginning of the hostname). I'll resume my embarrassed silence now. :)
Re: Cert for ip range?
On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi wrote: > > > On 27/11/2019 21:28 Mark Moseley via dovecot > wrote: > > > > > > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot < > dovecot@dovecot.org> wrote: > > > > > > On 21.11.2019 23.57, Marc Roos via dovecot wrote: > > > > Is it possible to configure a network for a cert instead of an ip? > > > > > > > > Something like this: > > > > > > > > local 192.0.2.0 { > > > > ssl_cert = > > > ssl_key = > > > } > > > > > > > > Or > > > > > > > > local 192.0.2.0/24 (http://192.0.2.0/24) { > > > > ssl_cert = > > > ssl_key = > > > } > > > > > > > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > > > > > > > > > > > > > > > > > Local part supports that. > > > > > > Aki > > > > > > On the same topic (though I can start a new thread if preferable), it > doesn't appear that you can use wildcards/patterns in the 'local' name, > unless I'm missing something--which is quite likely. > > > > If it's not possible currently, can I suggest adding that as a feature? > That is, instead of having to list out all the various SNI hostnames that a > cert should be used for (e.g. "local pop3.example.com ( > http://pop3.example.com) imap.example.com (http://imap.example.com) > pops.example.com (http://pops.example.com) pop.example.com ( > http://pop.example.com) {" -- and on and on), it'd be handy to be > able to just say "local *.example.com (http://example.com) {" and call it > a day. I imagine there'd be a bit of a slowdown, since you'd have to loop > through patterns on each connection (instead of what I assume is a hash > lookup), esp for people with significant amounts of 'local's. > > > > Actually that is supported, but you need to use v2.2.35 or later. > > Ha, it literally *never* fails (that there's some option I've overlooked 10 times, before asking on the list) 'local' vs 'local_name'. Never noticed the difference before in the docs. Might be worth adding a blurb in https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name' takes '*'-style wildcard (at least in the beginning of the hostname). I'll resume my embarrassed silence now. :)
Re: Cert for ip range?
> On 27/11/2019 21:28 Mark Moseley via dovecot wrote: > > > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot > wrote: > > > > On 21.11.2019 23.57, Marc Roos via dovecot wrote: > > > Is it possible to configure a network for a cert instead of an ip? > > > > > > Something like this: > > > > > > local 192.0.2.0 { > > > ssl_cert = > > ssl_key = > > } > > > > > > Or > > > > > > local 192.0.2.0/24 (http://192.0.2.0/24) { > > > ssl_cert = > > ssl_key = > > } > > > > > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > > > > > > > > > > > > Local part supports that. > > > > Aki > > > On the same topic (though I can start a new thread if preferable), it doesn't > appear that you can use wildcards/patterns in the 'local' name, unless I'm > missing something--which is quite likely. > > If it's not possible currently, can I suggest adding that as a feature? That > is, instead of having to list out all the various SNI hostnames that a cert > should be used for (e.g. "local pop3.example.com (http://pop3.example.com) > imap.example.com (http://imap.example.com) pops.example.com > (http://pops.example.com) pop.example.com (http://pop.example.com) {" -- > and on and on), it'd be handy to be able to just say "local *.example.com > (http://example.com) {" and call it a day. I imagine there'd be a bit of a > slowdown, since you'd have to loop through patterns on each connection > (instead of what I assume is a hash lookup), esp for people with significant > amounts of 'local's. > Actually that is supported, but you need to use v2.2.35 or later. Aki
Re: Cert for ip range?
On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot wrote: > > On 21.11.2019 23.57, Marc Roos via dovecot wrote: > > Is it possible to configure a network for a cert instead of an ip? > > > > Something like this: > > > > local 192.0.2.0 { > > ssl_cert = > ssl_key = > } > > > > Or > > > > local 192.0.2.0/24 { > > ssl_cert = > ssl_key = > } > > > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > > > > > > > Local part supports that. > > Aki > On the same topic (though I can start a new thread if preferable), it doesn't appear that you can use wildcards/patterns in the 'local' name, unless I'm missing something--which is quite likely. If it's not possible currently, can I suggest adding that as a feature? That is, instead of having to list out all the various SNI hostnames that a cert should be used for (e.g. "local pop3.example.com imap.example.com pops.example.com pop.example.com {" -- and on and on), it'd be handy to be able to just say "local *.example.com {" and call it a day. I imagine there'd be a bit of a slowdown, since you'd have to loop through patterns on each connection (instead of what I assume is a hash lookup), esp for people with significant amounts of 'local's.
Re: Cert for ip range?
On 21.11.2019 23.57, Marc Roos via dovecot wrote: > Is it possible to configure a network for a cert instead of an ip? > > Something like this: > > local 192.0.2.0 { > ssl_cert = ssl_key = } > > Or > > local 192.0.2.0/24 { > ssl_cert = ssl_key = } > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > > Local part supports that. Aki