(Viktor, I'm going to reply to Wietse first, just because his questions are fewer and I am hoping to clarify the points of confusion before others reply.)
On 7/15/2013 1:24 PM, Wietse Venema wrote: > Ben Johnson: >> Hello, >> >> We host mail services for a few dozen domains. We will eventually >> require TLS for all client connections. >> >> I have reviewed what seems to be the most comprehensive thread on this >> subject ( >> http://postfix.1071664.n5.nabble.com/TLS-SNI-support-td25552.html ) and, >> in light of that information, am trying to determine the best course of >> action. >> >> In essence, our clients wish to use their own SSL certificates for their >> SMTP connections. Given that there are no plans to implement SNI in >> Postfix (it seems not to be sufficiently useful to justify the work >> involved, which I understand), I am left wondering what the alternative >> might be. >> >> Our clients will not accept the position, "You just have to ignore the >> 'domain mistmatch' warning and accept the certificate permanently when >> you connect to the mail server." And I don't blame them. > > You are creating massive confusion because you fail to explain > > a) whether you're talking about MUA service or MTA service, and > The "domain mismatch" occurs in the MUA (e.g., Thunderbird, Apple Mail, etc.). > b) what name is "mismatching" with your SMTP server name, and > Some of our clients insist that they access the the MTA that handles their mail, which resides on one of our servers, via their own domain names. So, these clients are using smtp.client.com instead of smtp.provider.com. Whether or not this is a "necessary" or "a good idea" is, unfortunately, largely irrelevant. I have tried to convince clients that they should be connecting to the submission service via *our* domain name, and not their own domain name, but have faced nothing but resistance. > c) why the customer is using that name. > Because the customer wants to "control" his own SSL certificate, including its renewal, re-issuance, and revocation. This does not seem like an entirely unreasonable request, to be fair. (I do realize that this is a "false sense of security", given that the client must relay all certificate changes through us, since we control the MTA.) > Wietse > I really appreciate your time, Wietse. Thanks for the reply. Let me know if anything else is unclear. -Ben
