RE: Cert for ip range?
How can I bind the managesieve to the internal use network/interface?
service managesieve-login {
inet_listener sieve {
address = 192.168.10.0/24
port = 4190
}
-Original Message-
From: Mark Moseley via dovecot [mailto:dovecot@dovecot.org]
Sent: woensdag 27 november 2019 22:06
To: Aki Tuomi
Cc: Mark Moseley via dovecot
Subject: Re: Cert for ip range?
On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi
wrote:
> On 27/11/2019 21:28 Mark Moseley via dovecot
wrote:
>
>
> On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot
wrote:
> >
> > On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> > > Is it possible to configure a network for a cert instead of
an ip?
> > >
> > > Something like this:
> > >
> > > local 192.0.2.0 {
> > > ssl_cert = > > ssl_key = > > }
> > >
> > > Or
> > >
> > > local 192.0.2.0/24 (http://192.0.2.0/24) {
> > > ssl_cert = > > ssl_key = > > }
> > >
> > > https://wiki.dovecot.org/SSL/DovecotConfiguration
> > >
> > >
> > >
> >
> > Local part supports that.
> >
> > Aki
>
>
> On the same topic (though I can start a new thread if
preferable), it doesn't appear that you can use wildcards/patterns in
the 'local' name, unless I'm missing something--which is quite likely.
>
> If it's not possible currently, can I suggest adding that as a
feature? That is, instead of having to list out all the various SNI
hostnames that a cert should be used for (e.g. "local pop3.example.com
(http://pop3.example.com) imap.example.com (http://imap.example.com)
pops.example.com (http://pops.example.com) pop.example.com
(http://pop.example.com) {" -- and on and on), it'd be handy to be
able to just say "local *.example.com (http://example.com) {" and call
it a day. I imagine there'd be a bit of a slowdown, since you'd have to
loop through patterns on each connection (instead of what I assume is a
hash lookup), esp for people with significant amounts of 'local's.
>
Actually that is supported, but you need to use v2.2.35 or later.
Ha, it literally *never* fails (that there's some option I've overlooked
10 times, before asking on the list)
'local' vs 'local_name'. Never noticed the difference before in the
docs. Might be worth adding a blurb in
https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name'
takes '*'-style wildcard (at least in the beginning of the hostname).
I'll resume my embarrassed silence now. :)
Re: Cert for ip range?
On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi
wrote:
>
> > On 27/11/2019 21:28 Mark Moseley via dovecot
> wrote:
> >
> >
> > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot <
> dovecot@dovecot.org> wrote:
> > >
> > > On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> > > > Is it possible to configure a network for a cert instead of an ip?
> > > >
> > > > Something like this:
> > > >
> > > > local 192.0.2.0 {
> > > > ssl_cert = > > > ssl_key = > > > }
> > > >
> > > > Or
> > > >
> > > > local 192.0.2.0/24 (http://192.0.2.0/24) {
> > > > ssl_cert = > > > ssl_key = > > > }
> > > >
> > > > https://wiki.dovecot.org/SSL/DovecotConfiguration
> > > >
> > > >
> > > >
> > >
> > > Local part supports that.
> > >
> > > Aki
> >
> >
> > On the same topic (though I can start a new thread if preferable), it
> doesn't appear that you can use wildcards/patterns in the 'local' name,
> unless I'm missing something--which is quite likely.
> >
> > If it's not possible currently, can I suggest adding that as a feature?
> That is, instead of having to list out all the various SNI hostnames that a
> cert should be used for (e.g. "local pop3.example.com (
> http://pop3.example.com) imap.example.com (http://imap.example.com)
> pops.example.com (http://pops.example.com) pop.example.com (
> http://pop.example.com) {" -- and on and on), it'd be handy to be
> able to just say "local *.example.com (http://example.com) {" and call it
> a day. I imagine there'd be a bit of a slowdown, since you'd have to loop
> through patterns on each connection (instead of what I assume is a hash
> lookup), esp for people with significant amounts of 'local's.
> >
>
> Actually that is supported, but you need to use v2.2.35 or later.
>
>
Ha, it literally *never* fails (that there's some option I've overlooked 10
times, before asking on the list)
'local' vs 'local_name'. Never noticed the difference before in the docs.
Might be worth adding a blurb in
https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name' takes
'*'-style wildcard (at least in the beginning of the hostname). I'll resume
my embarrassed silence now. :)
Re: Cert for ip range?
> On 27/11/2019 21:28 Mark Moseley via dovecot wrote:
>
>
> On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot
> wrote:
> >
> > On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> > > Is it possible to configure a network for a cert instead of an ip?
> > >
> > > Something like this:
> > >
> > > local 192.0.2.0 {
> > > ssl_cert = > > ssl_key = > > }
> > >
> > > Or
> > >
> > > local 192.0.2.0/24 (http://192.0.2.0/24) {
> > > ssl_cert = > > ssl_key = > > }
> > >
> > > https://wiki.dovecot.org/SSL/DovecotConfiguration
> > >
> > >
> > >
> >
> > Local part supports that.
> >
> > Aki
>
>
> On the same topic (though I can start a new thread if preferable), it doesn't
> appear that you can use wildcards/patterns in the 'local' name, unless I'm
> missing something--which is quite likely.
>
> If it's not possible currently, can I suggest adding that as a feature? That
> is, instead of having to list out all the various SNI hostnames that a cert
> should be used for (e.g. "local pop3.example.com (http://pop3.example.com)
> imap.example.com (http://imap.example.com) pops.example.com
> (http://pops.example.com) pop.example.com (http://pop.example.com) {" --
> and on and on), it'd be handy to be able to just say "local *.example.com
> (http://example.com) {" and call it a day. I imagine there'd be a bit of a
> slowdown, since you'd have to loop through patterns on each connection
> (instead of what I assume is a hash lookup), esp for people with significant
> amounts of 'local's.
>
Actually that is supported, but you need to use v2.2.35 or later.
Aki
Re: Cert for ip range?
On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot
wrote:
>
> On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> > Is it possible to configure a network for a cert instead of an ip?
> >
> > Something like this:
> >
> > local 192.0.2.0 {
> > ssl_cert = > ssl_key = > }
> >
> > Or
> >
> > local 192.0.2.0/24 {
> > ssl_cert = > ssl_key = > }
> >
> > https://wiki.dovecot.org/SSL/DovecotConfiguration
> >
> >
> >
>
> Local part supports that.
>
> Aki
>
On the same topic (though I can start a new thread if preferable), it
doesn't appear that you can use wildcards/patterns in the 'local' name,
unless I'm missing something--which is quite likely.
If it's not possible currently, can I suggest adding that as a feature?
That is, instead of having to list out all the various SNI hostnames that a
cert should be used for (e.g. "local pop3.example.com imap.example.com
pops.example.com pop.example.com {" -- and on and on), it'd be handy
to be able to just say "local *.example.com {" and call it a day. I imagine
there'd be a bit of a slowdown, since you'd have to loop through patterns
on each connection (instead of what I assume is a hash lookup), esp for
people with significant amounts of 'local's.
Re: Cert for ip range?
On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> Is it possible to configure a network for a cert instead of an ip?
>
> Something like this:
>
> local 192.0.2.0 {
> ssl_cert = ssl_key = }
>
> Or
>
> local 192.0.2.0/24 {
> ssl_cert = ssl_key = }
>
> https://wiki.dovecot.org/SSL/DovecotConfiguration
>
>
>
Local part supports that.
Aki
