Quanah Gibson-Mount:
> --On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema
> <[email protected]> wrote:
>
> > Viktor Dukhovni:
> >> So, we've managed to hold off on offering SNI support for a decade
> >> since TLS was integrated into Postfix 2.2. I just wanted to see
> >> whether anyone still wanted it in Postfix, but perhaps if they
> >> really did they've moved on to other solutions.
> >
> > Would haproxy/nginx be an option? If a site has hundreds of domains,
> > they may need a "submission" loadbalancer anyway.
>
> Given nginx's complete disregard for RFC's (*) and unwillingness to examine
> or fix issues related to the email proxy portion of their product (IMAP,
> POP, SMTP), I'd definitely avoid it. I.e., I would not recommend nginx as
> a solution in front of postfix to anyone.
>
> *<https://forum.nginx.org/read.php?29,252772,253147>
[nginx sends plaintext credentials to the MTA] This should not be
a problem as long as the network between the TLS-terminating load
balancer and the MTA is trusted. If it isn't, use a VPN or tunnel.
Wietse
