Am 2015-12-15 12:22, schrieb wie...@porcupine.org:
Michael Str?der:
Sebastian Nielsen wrote:
> Yes.
> Its just a draft.
Everything starts with a draft.
> Which certificate should the server use for the encrypted transaction, even if
> we use SNI?
> emailservice1.com or emailservice2.com?
The recipient domain would be used with SNI.
This session has multiple recipients, in different domains that
have the same MX host. Whose SNI shall be used?
First, you check if you really need SNI. SNI is only needed if you try
to authenticate the TLS connection and the MX-record is not secured by
DNSSEC. Therefore, in the case of smtp_tls_security_level=may, you do
not use SNI. If smtp_tls_security_level is secure/verify you cannot
reuse the TLS connection. You must open a new connection for each domain
like in the case where the MX-records point to different hosts.
On the other side: if you do not want to use SNI, please describe a
scalable solution of how you authenticate TLS connections in this
situation under the assumption that emailservice1.com,
emailservice2.com, emailservice3.com ... do NOT belong to the same
organisation and therefore including the domains in the SAN of the
certificate is nearly impossible.
Michael
