Sebastian Nielsen wrote: > Yes. > Its just a draft. Everything starts with a draft.
> Which certificate should the server use for the encrypted transaction, even if > we use SNI? > emailservice1.com or emailservice2.com? The recipient domain would be used with SNI. > and why there is a need to use the MX identity to tie > the certificate to the server. To protect against MX spoofing. > To protect against modified MX data, DNSSEC has > to be used instead. Time will tell how trustworthy and secure real-world DNSSEC really is... I guess discussing all this in detail is not appropriate on this mailing list. Still I can imagine that SNI support in postfix could be useful for implementing special TLS usage policies even if it does not scale to millions of certs. Ciao, Michael. > -----Ursprungligt meddelande----- From: Michael Ströder > Sent: Tuesday, December 15, 2015 10:51 AM > To: Sebastian Nielsen ; postfix-users@postfix.org > Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed] > > Sebastian Nielsen wrote: >> The certificate is normally validated against the MX name, not recipient >> domain. > > Did you read the referenced I-D before replying? > > https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs-00#section-4.1.4.1 > > Ciao, Michael. > >> "Michael Ströder" <mich...@stroeder.com> skrev: (15 december 2015 10:12:56 >> CET) >>> Viktor Dukhovni wrote: >>>> So, we've managed to hold off on offering SNI support for a decade >>>> since TLS was integrated into Postfix 2.2. I just wanted to see >>>> whether anyone still wanted it in Postfix, but perhaps if they >>>> really did they've moved on to other solutions. >>> >>> SNI is a prerequisite for implementing something like [1] if a host is >>> MX for >>> more than one recipient domain. >>> >>> Ciao, Michael. >>> >>> [1] https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs > -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: mich...@stroeder.com http://www.stroeder.com
smime.p7s
Description: S/MIME Cryptographic Signature
