Viktor Dukhovni:
> On Mon, Dec 14, 2015 at 04:34:58PM +0000, Viktor Dukhovni wrote:
>
> > So, we've managed to hold off on offering SNI support for a decade
> > since TLS was integrated into Postfix 2.2. I just wanted to see
> > whether anyone still wanted it in Postfix, but perhaps if they
> > really did they've moved on to other solutions.
>
> So far I'm not sensing any burning desire for server-side SNI in
> Postfix, and it is quite late in the 3.1 cycle, so if we're going
> to do SNI, it'll be in 3.2 or later.
>
> At present, the Postfix SMTP client only sends SNI with DANE, where
> it is clear what name to ask for (the TLSA base domain). With
> "verify" and "secure" it is far from clear that sending SNI would
> do more good than harm, and we match multiple names or name patterns,
> so the choice of what to send in SNI is not so clear.
For the client, maybe this can be configured with "sni=example.net"
(or nexthop) as a policy? I agree that a fully-automated solution
may not be feasible.
> I think we're set for now with Postfix as-is.
Wietse
