On Mon, Sep 08, 2014 at 08:22:54PM -0400, Wietse Venema wrote:
> I'd like to hear a bit more on this from other people than Viktor.
> There is a difference between "technically perfect" (e.g., telling
> everyone to adopt DNSSSEC and DANE or else don't bother), and what
> is "currently justifiable".
In particular does any non-Postfix mail hosting system actually
practice authenticated SMTP hosting with SNI (which most MTA don't
send) and the logistics of deployment of customer provided private
keys?
Even if the hosting provider is also the CA (say Godaddy or similar,
and can technically issue certs to itself for the client domains,
but possibly in violation of expected CA practices), lack of SNI
in most client SMTP implementations is I think a show-stopper for
multi-certificate TLS virtual hosting at a single TCP endpoint.
I expect that no such deployments exist, or would function at all
well in the near term.
--
Viktor.
