On 07 Nov 2014, at 04:02, Peter <pe...@pajamian.dhs.org> wrote: >> Mind you, hosting of submission servers across organizational >> boundaries, typically means rather unnatural sharing of private >> keys, while hosting within a single organization, is perhaps poor >> planning, since a single MSA hostname could have been communicated >> to all users as each domain was registered. > > I do have to agree with this, but I also see a lot of users requesting > SNI both here on the mailing list and on IRC lately. This is why I > personally think it is probably time to look into implementing it. I do > try to offer up alternatives to SNI, but people seem to be increasingly > adamant that they want SNI as a solution. Whether it's an ideal > solution or not is certainly up for debate, but the demand is there.
There are some 'legitimate' scenarios in which a submission server could end up with multiple hostnames in seperate domains, such as when it takes over this duty from a different server after an acquisition, merger and so on. But these scenarios are covered by a multi-domain certificate, with a subjectAltName list. This works now, and doesn't require any changes to the Postfix code. Demand does not always equal a valid technical reason. There's been 'demand' for things like virtual hosting and such as well, which generally comes down to people wanting to have 'pretty' hostnames for their customers, in places where basically only automated processes ever see it. >> I don't want to support SNI until it actually works correctly in >> mainstream OpenSSL releases on actual operating systems. I think >> we can revisit this in due course. > > I seem to see this argument a few times in this thread, but I have yet > to really see (or perhaps I just don't understand) what the actual issue > is with the current SNI implementation in openssl. Is it not good > enough for people to be able to simply present the correct server > certificate for the domain name requested? I honestly think that's all > that people want it for, to get rid of the scary "invalid certificate" > popup that people see when submitting mail. Purely my personal opinion, but I would suggest that the burden of proof is on the side of the requestor. Demonstrate a legitimate, non-cosmetic need for SNI in Postfix, one that cannot be addressed by using a multi-domain certificate, adding extra IP addresses and splitting it that way, or using Victor's port example? Mvg, Joni
