Skip to content

smtp_server: add support for using SNI to resolve certs #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wez wants to merge 1 commit into
base: main
Choose a base branch
from
Open

smtp_server: add support for using SNI to resolve certs #469

wez wants to merge 1 commit into from

Conversation

@wez
Copy link
Collaborator

@wez wez commented Jan 8, 2026

This is a completely untested and undocumented attempt at hooking up the use of SNI to resolve the server certificate setup for an SMTP session.

Usage should be along these lines:

kumo.on('smtp_server_get_dynamic_tls_parameters', function(listener, conn_meta, client_hello)
  local hostname = client_hello.server_name

  if not hostname then
    -- SNI not provided by client, just use overall parameters
    return
  end

   -- TODO: sanity check hostname here; it was provided by the peer
   -- so treat it as untrusted. In particular, you should sanitize
   -- it before using it for path resolution!

   return {
     -- Use the SNI-provided name as the hostname to validate against
     hostname = hostname,
     tls_private_key = {
       vault_path = string.format('keys/%s.key', hostname),
     }
     tls_certificate = {
       vault_path = string.format('keys/%s.cert', hostname),
     }
   }
end)

@wez
smtp_server: add support for using SNI to resolve certs
29d8911 
This is a completely untested and undocumented attempt at hooking up the
use of SNI to resolve the server certificate setup for an SMTP session.

Usage should be along these lines:

```lua
kumo.on('smtp_server_get_dynamic_tls_parameters', function(listener, conn_meta, client_hello)
  local hostname = client_hello.server_name

  if not hostname then
    -- SNI not provided by client, just use overall parameters
    return
  end

   -- TODO: sanity check hostname here; it was provided by the peer
   -- so treat it as untrusted. In particular, you should sanitize
   -- it before using it for path resolution!

   return {
     -- Use the SNI-provided name as the hostname to validate against
     hostname = hostname,
     tls_private_key = {
       vault_path = string.format('keys/%s.key', hostname),
     }
     tls_certificate = {
       vault_path = string.format('keys/%s.cert', hostname),
     }
   }
end)
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wez