On Thu, Nov 06, 2014 at 08:37:14PM -0500, Wietse Venema wrote:
> Postfix gets the client-specified servername with SSL_get_servername(),
> and then it uses the SSL_CTX for that servername.
I think SNI-based virtual hosting stinks, and I'd hate to encourage
its use. Particularly for MX hosts it is FAR more sensible to just
use a fixed MX hostname for multiple domains.
The plausibly sensible use-case for SNI with SMTP is for submission
servers. The settings for the submission server name are not
presently learned from DNS (some recent RFCs notwithstanding).
Thus updating the submission server would require changes in the
email settings of all users. So when submission services are
hosted, the name of the submission host is usually kept fixed.
Mind you, hosting of submission servers across organizational
boundaries, typically means rather unnatural sharing of private
keys, while hosting within a single organization, is perhaps poor
planning, since a single MSA hostname could have been communicated
to all users as each domain was registered.
I don't want to support SNI until it actually works correctly in
mainstream OpenSSL releases on actual operating systems. I think
we can revisit this in due course.
--
Viktor.
