5209R/5210R: SNI support added to Dovecot
Server Name Indication (SNI) support has now been added to Dovecot.
What is SNI?
Server Name Indication is a crucial component of SSL that oftentimes goes under the radar. SNI is what allows multiple websites to exist on the same IP address. Without SNI, each hostname would require its own IP address in order for an SSL certificate to be installed. However, SNI solves this problem.
BlueOnyx already supports SNI for SSL enabled webpages for a long time.
For email this always was a bit problematic. Our email server software (Sendmail) doesn't support SNI. But the version of Dovecot we're using on BlueOnyx 5209R and 5210R for POP3 and IMAP supports SNI. Today we published updates for BlueOnyx 5209R and 5210R which activate SNI for Dovecot out of the box.
What does it mean?
Say your server is called server.hosting.com and you have a Vsite named www.client.com on it, which has SSL enabled. In the past if someone connected via POP3 or IMAP over TLS to www.client.com to fetch emails, then the email program on the clients PC, tablet or mobile device would complain that the email servers SSL certificate had a name mismatch. Dovecot was *only* using the SSL certificate of the server itself and the validity therefore was only for server.hosting.com (to follow our example) and that certificate is not valid for www.client.com.
Users had to accept the certificate once and then it worked without further complains.
How it works now with SNI available in Dovecot: If a Vsite has a valid SSL certificate, then Dovecot will use that certificate as well and will use it when someone connects to POP3 or IMAP via TLS. So if someone connects to www.client.com via POP3 or IMAP over TLS, then they get the SSL certificate for www.client.com served and the email client doesn't complain about a certificate mismatch.
Please note: Not all email clients support SNI yet, so there might still be some complains from end-users. In that case ask them which email ciient and version of it they are using and recommend a more modern version or alternative.
Of course a Vsite must have an SSL certificate in order for SNI to work. However: A free "Let's Encrypt" SSL certificate is sufficient and these can be requested and installed via the GUI.
What the Update does in detail:
Upon YUM successful update on a running 5209R or 5210R CCEd is restarted and a Constructor checks if the file /etc/dovecot/conf.d/11-sni-master.conf already exists. This new config file adds parsing of an include directory for configs of SSL enabled Vsites. That directory is /etc/dovecot/conf.sni.d/
If /etc/dovecot/conf.d/11-sni-master.conf is not yet present, then it will be created. The Constructor then polls CCEd for all SSL enabled Vsites and creates Dovecot SNI config files for them in the format of /etc/dovecot/conf.sni.d/<sitename>.conf. These config files contain 'local_name' entries for all domain names and aliases that the SSL certificate of this Vsite is valid for. So if an SSL certificate is a wildcard or valid for multiple domain names, then each of them will work - provided other factors such as DNS and Email Server Aliases check out.
When an SSL certificate is created, updated, imported or changed via the GUI, then the SNI include file of that Vsite will be generated or updated automatically and Dovecot is restarted.
When a Vsite's SSL support is disabled or if the Vsite is being deleted, the SNI include file is removed from the Dovecot configuration and Dovecot will be restarted as well.
This should provide a rather seamless and hassle free integration of SNI for POP3 and IMAP.
SNI for SMTP?
At this point we are still unable to provide SNI for SMTP, as Sendmail doesn't have SNI support yet and it doesn't seem likely that it ever will. For 5210R we are therefore exploring alternatives which might be implemented as YUM update in the future. It is somewhat likely that we might finally ditch Sendmail and use Postfix instead. However, this needs more time to make that transition as smooth as possible.