On 7/15/2013 1:03 PM, Patrick Ben Koetter wrote: > In absence of SNI either the MX of all domains point to one MX with a valid > cert or you bring up an instance per domain. >
Bringing-up a Postfix instance per domain would require unique ports (or a dedicated IP address) for each instance, correct? Seems like a maintenance nightmare. > If your clients insist that a mail server is only professional if the TLS > session has their domain name written on it, then give them what they want at > the price it costs to implement it. > Your position is perfectly reasonable, and is more or less the position that I've taken on the matter. I just wanted to be sure that there isn't some panacea that I had overlooked. In order to give our clients what they want, what are our choices? To use a SAN certificate that includes each client's domain name? The most obvious problem with this seems to be that this would leak our "client list" to the public. That is, it would be trivial to inspect the certificate and discern the companies for which we host email services. The second problem is adding new domains to the SAN field as new clients come online. Presumably, this requires having the certificate re-issued. Is anyone else using this approach, and if so, does the CA charge you for each re-issue? Or are you able to add new domains at a whim without incurring additional costs? > Those are the choices and don't mean to start a flame war. > I appreciate the frankness of your reply; I was looking for a succinct response, and you provided it. As final point of note, I realize that it is impossible to avoid having IP addresses that our company controls present in our clients' DNS records, unless we issue unique IP addresses to each client. (I had made a few conflicting statements in my initial post.) Thank you! -Ben