On 2025-05-23 12:57, Aki Tuomi via dovecot wrote:
It should work if you send cn, that should be supported. Are you sure you are
sending SNI in your testing? e.g. with openssl you need to use -servername
foobar to actually send SNI.
Aki
Thanks. Yeah I am sure. I am filtering by SNI on haproxy. My mail client
is properly using SNI in TLS. Just confirmed it with wireshark:
Extension: server_name (len=17)
Type: server_name (0)
Length: 17
Server Name Indication extension
Server Name list length: 15
Server Name Type: host_name (0)
Server Name length: 12
Server Name: secret
Also on server I see PROXY V2 packets. I set haproxy to send authority
TLV (which contains SNI value used by client) and it seems dovecot still
does not make use of it.
TLV: (t=2,l=12) AUTHORITY
Type: AUTHORITY (0x02)
Length: 12
Value: secret
So it seems it is not supported by dovecot or it is a bug. What you
think? Could you confirm that TLV AUTHORITY is supported by dovecot and
this should work for sure? If this is a bug where should I report it?
DK
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
