On Mon, May 07, 2012 at 06:52:44AM -0700, Fiona Hines wrote:
> I understand now what you are referring to but you were assuming
> that I was using STARTTLS, which was my mistake for not mentioning
> it.? I'm not using STARTTLS.? The connection is encrypted from the
> beginning of the transaction.? STARTTLS was created as part of the
> standards for e-mail because SNI didn't exist.? SNI still isn't
> perfect but it allows for the encryption of the connection to take
> place sooner for a variety of domains.
This is not even wrong. It appears that you're confusing SNI with
wrapper-mode SSL. Postfix does support (deprecated) wrapper-mode
SSL on the smtps port. See the commented-out service in master.cf.
Perhaps this whole thread has been discussing the wrong issue,
because you've almost certainly got your acronyms mixed up.
Otherwise, you're in any case very confused, and it is not easy to
help you unless you can figure out what you're actually looking
for.
- SNI: At the start of the TLSv1 handshake (SNI is an extension
and only TLSv1, not SSLv[23] supports extensions), the client
tells the server what certificate name the server should present
if possible. If the server has multiple certs to choose from, it
may be able to select the one the client is looking for.
- Wrapper-mode SSL: The application protocol rides inside the SSL/TLS
protocol. After the TCP 3-way handshake, the client immediately
initiates an SSL handshake. Once the SSL channel is established,
the SMTP protocol (220 banner, EHLO, ...) begins.
- STARTTLS: The application protocol begins first after TCP 3-way.
Client and server negotiate an upgrade to TLS via appropriate
application specific mechanisms.
Any SNI support applies equally to wrapper-mode and STARTTLS, it is just
an optional feature of TLSv1 or higher SSL.
Perhaps you can clarify what you're looking for using standard terms
of art.
--
Viktor.
