Wietse Venema:
> Quanah Gibson-Mount:
> > --On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema
> > <wie...@porcupine.org> wrote:
> >
> > > Viktor Dukhovni:
> > >> So, we've managed to hold off on offering SNI support for a decade
> > >> since TLS was integrated into Postfix 2.2. I just wanted to see
> > >> whether anyone still wanted it in Postfix, but perhaps if they
> > >> really did they've moved on to other solutions.
> > >
> > > Would haproxy/nginx be an option? If a site has hundreds of domains,
> > > they may need a "submission" loadbalancer anyway.
> >
> > Given nginx's complete disregard for RFC's (*) and unwillingness to examine
> > or fix issues related to the email proxy portion of their product (IMAP,
> > POP, SMTP), I'd definitely avoid it. I.e., I would not recommend nginx as
> > a solution in front of postfix to anyone.
> >
> > *<https://forum.nginx.org/read.php?29,252772,253147>
>
> [nginx sends plaintext credentials to the MTA] This should not be
> a problem as long as the network between the TLS-terminating load
> balancer and the MTA is trusted. If it isn't, use a VPN or tunnel.
Of course I assume that clients will send plaintext credentials to
nginx over TLS, just like they do now with the Postfix submission
service.
Wietse
