It gets worse! If you request a client certificate, Dovecot will not
check the name on the certificate, only that it is signed by a known CA.
I raised this issue on this list some time ago and got no response. I'm
not sure anyone is listening.
On 16/05/2023 7:54 pm, Serg via dovecot wrote:
I would like to offer to implement a feature to reject SSL handshakes
for a default certificate-key pair for efficiently discarding bot
requests (i.e. such requests that provide invalid/not configured
hostname or do not specify at all, like when doing request to the IP
address directly).
Nginx has such feature already implemented as seen here[1], and it
would be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic
such behavior:
ssl_cert = </etc/ssl/dovecot/server.crt
ssl_key = </etc/ssl/dovecot/server.key
local_name flopster.at.encryp.ch { ssl_cert =
</etc/ssl/domains/flopster.at.encryp.ch/fullchain
ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key
}
But in this case the problem is that the invalid requests (for this
example it is requests that don't have Server Name Indication at all
or mention anything else but not flopster.at.encryp.ch) are still
being replied by Dovecot with a TLS certificate rather than being
simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
[1]:
<https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake>
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
