I would like to offer to implement a feature to reject SSL handshakes
for a default certificate-key pair for efficiently discarding bot
requests (i.e. such requests that provide invalid/not configured
hostname or do not specify at all, like when doing request to the IP
address directly).
Nginx has such feature already implemented as seen here[1], and it would
be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic
such behavior:
ssl_cert = </etc/ssl/dovecot/server.crt
ssl_key = </etc/ssl/dovecot/server.key
local_name flopster.at.encryp.ch {
ssl_cert = </etc/ssl/domains/flopster.at.encryp.ch/fullchain
ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key
}
But in this case the problem is that the invalid requests (for this
example it is requests that don't have Server Name Indication at all or
mention anything else but not flopster.at.encryp.ch) are still being
replied by Dovecot with a TLS certificate rather than being simply
rejected with a TLSV1_UNRECOGNIZED_NAME error code.
[1]:
<https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake>
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
