Viktor Dukhovni:
> On Mon, Sep 08, 2014 at 04:43:36PM -0700, Quanah Gibson-Mount wrote:
>
> > A number of our zimbra customers deploy where they are hosting accounts for
> > multiple domains (At least one client hosts over 100,000 domains). These
> > deployments generally use a single set of MTAs for their MX records, which
> > works fine as long as TLS is not involved. However, with the increasing
> > desire for security, our clients are becoming quite interested in enabling
> > TLS at the smtpd layer.
>
> Which works just fine with a single certificate, because TLS in
> SMTP in generally unauthenticated. If all the various domains
> share the same MX hostnames, many implementations that log
> "speculative" authentication results (no actual enforcement, just
> logging that a given session happened to appear to not be MiTMed)
> will match the MX host against the shared certificate.
I'd like to hear a bit more on this from other people than Viktor.
There is a difference between "technically perfect" (e.g., telling
everyone to adopt DNSSSEC and DANE or else don't bother), and what
is "currently justifiable".
Wietse
