Am 07.11.2014 um 07:28 schrieb Peter:
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
and it is smart do it that way
other than for webservers you have not different contents for different
hostnames but mandatory user authentication - so why waste time and
money dealing with different hostnames and certificates?
I understand where you're coming from, it is a purely cosmetic
difference which affects one setting in a user's email client, but that
one setting is rather important to a lot of people.
which people?
not met a single one within 2 years of business hosting for some hundret
domains - the typical enduser don't care anything and in that context i
take the word anything really serious
they enter whatever is in their sheet to configure the client or if you
are doing autodiscovery the don't need to enter it at all
even a multi-domain certificate is a nightmare when you get new domains
and need to replace it every time and even if SNI would be supported you
likely will not have much luck with client support (and no users don't
use up-to-date software all the time - sad but true)
Someone mentioned that current versions of Thunderbird supports it,
that's a good start.
fine - and i see clients which break if you disable SSL3
recently after switching to SHA256/RSA4096 certificates it even turned
out that some users still have stoneage clients in use not supporting that
that gives you a picture of "current" versus "the world"
well, and in case of multiple domains you get multiple user types
Those clients that don't support it would be no different than they are
now. They could either (1) use the fallback (provider) hostname to
connect to and get the correct certificate, or (2) accept the scary
popup that indicates the wrong certificate.
explain the users the difference - hint: you won't have any success
until now nobody was able to tell me any benefit of multiple server
names for a mailserver instead 1 hostname, 1 certificate and 1 PTR
matching the A-record and HELO name with 100, 200, 300, 500 MX records
in different domains pointing there
Right, but that's for the MX, we're talking submission server here
which is in many cases the same server and only a differnt port
but that is not the point
te point is you gain nothing with SNI on a mailserver
