On Mon, Dec 14, 2015 at 06:37:59AM -0500, Wietse Venema wrote:
> > Thanks for the moral support. I agree that SNI is not particularly
> > compelling for port 25. The strongest arguments for SNI that
> > I've seen are for port 587 submission, where there's no MX indirection,
> > users' MUAs have statically configured SMTP servers.
>
> And those clients need SNI because...?
Firstly, because MUAs actually do WebPKI certificate checks, so
the certificate content actually matters.
More importantly, because some folks operate mail submission via
a shared IP address for multiple domains. And want to retain the
flexibility to re-target submission for some and not others by having
users set up to use "smtp.respective-domain.example" as their
submission server. Perhaps it is not for us to decide whether
their desire to do that is completely rational, or substantially
"emotional".
Hosting shared submission services is simply difficult, if the
domains are truly customer domains and not a handful of one's
domains then it is typically impractical to obtain all the necessary
certificates to do SNI at scale. Ultimately, the simplest model
is to just have all the users update their submission server settings
to point at a single shared name.
So, we've managed to hold off on offering SNI support for a decade
since TLS was integrated into Postfix 2.2. I just wanted to see
whether anyone still wanted it in Postfix, but perhaps if they
really did they've moved on to other solutions.
--
Viktor.
