Re: Dovecot 2.4.0 multiple hosts SNI configuration regression

Wed, 26 Feb 2025 09:44:11 -0800 

On 26. Feb 2025, at 18.27, Julius Kriukas via dovecot <dovecot@dovecot.org> 
wrote:
> 
> Hello everyone.
> 
> We are testing out Dovecot 2.4.0 and noticed a regression in how the
> `local_name` filter with multiple space-separated host names works.
> 
> For example, having the following dovecot.conf:
> 
> ```
> ...
> ssl_server_cert_file = /etc/dovecot/global.cert
> ssl_server_key_file = /etc/dovecot/global.key
> ssl_server_dh_file = /etc/dovecot/dh.pem
> ...
> local_name "server.example.com mail.example.com" {
>  ssl_server_cert_file = /etc/dovecot/example.com.cert
>  ssl_server_key_file = /etc/dovecot/example.com.key
> }

I had completely forgotten that there was such a feature. Looks like it was 
added by:

commit fb13dfaa903c5efb492e993888aa444138001e8e
Author: J. Nick Koston <n...@cpanel.net>
Date:   Thu Dec 1 01:38:02 2016 -0600

    config: Match multiple names in local_name

    This can significantly reduce memory usage when using
    a UCC certificate with multiple names by only loading
    the certificate and key once.

I don't think there is much of a benefit anymore with v2.4, since the 
certificate and keys are accessed via mmap()ed binary config file. So although 
the cert/key are duplicated there, that happens only once per server, not once 
per process.

I don't think this syntax was even documented anywhere?

> The `doveconf` tool thinks the example configuration should work,
> hinting that this is likely to be a bug. Example:
> 
> ```
> # doveconf -f local_name=mail.example.com ssl_server
> ssl_server {
>  cert_file = /etc/dovecot/example.com.cert
>  dh_file = /etc/dovecot/dh.pem
>  key_file = /etc/dovecot/example.com.key
> }
> ```

This is also somewhat accidental, because I preserved this filtering code.

> Any confirmation if this is really a bug, or maybe an intended
> configuration syntax change (to force repeating the local_name blocks
> for each hostname) would be really appreciated. Thanks.


Seems like just extra complexity to me with an ugly syntax. Unless someone 
convinces me otherwise, I think I'll just remove all traces of it.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to