On Fri, Nov 07, 2014 at 09:49:33AM +0100, lst_ho...@kwsoft.de wrote:
> >Ciao, Michael.
>
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> Doesn't need SNI either...
Does not *need* it in most designs, because hosting can and should
use DANE-EE(3) TLSA RRs which skip certificate name checks, so the
same certificate works for all domains that share the same TLSA RR,
with the name binding via the DNS, not the certificate.
That said DANE-EE(2) can also be used for hosting, with SNI
potentially required, so DANE SMTP clients MUST send SNI (containing
the rfc6698 TLSA base domain). DANE SMTP servers MAY use the SNI
data to choose the right certificate, but MUST NOT fail when the SNI
request contains a name for which no particular certificate is configured.
Instead servers must send use some sensible alternative certificate.
Anyway, I tentatively expect to add server-side SNI to Postfix
development snapshots in ~2015/2016. Client-side SNI is automatically
enabled when the server publishes TLSA RRs.
--
Viktor.
