On 07/05/12 18:46, Fiona Hines wrote: > That won't work for me. SNI support is the only solution for my > scenario sinceI can't use just one SSL certificate. I haven't used > Google Apps to know what you are talking about.
I used google apps as an example of a provider that services what probably amounts to tens or hundreds of thousands of domains for email, and they do it all with one SSL certificate with only a single common name. smtp is not http and it does not work the same, you simply do not need to have a separate SSL certificate for every domain you host, one certificate will work for everything. > And I've got a feeling that the "250 response" part of your reply is > just wrong - which 250 response? Certificates are validated by clients > during the handshake and the connection is terminated if the > verification step fails. That happens long before even the SMTP banner > is emitted. I meant 220 greeting which happens before the STARTTLS command that initiates the TLS handshaking. There is also a 250 (plain text) response after the initial EHLO or HELO that also occurs before initiation of the TLS handshaking. I think you need to have a good read of: http://www.postfix.org/TLS_README.html Peter
