On 09/03/16 06:44, Viktor Dukhovni wrote:
On Mar 8, 2016, at 2:31 PM, Curtis Villamizar <cur...@orleans.occnc.com> wrote:
With HTTP the server cert is provided after HTTP identifies which
virtual host it thinks its talking to. The IP address along gives no
clue. That connection is then used only for that virtual host. This
is why you can have a TLS cert per vhost (aka DNS domain).
To be more precise, with HTTPS, the desired TLS server name is
conveyed via the TLS SNI extension and the HTTP server presents
the corresponding certificate. By contrast, the Postfix SMTP
server neither supports nor needs SNI.
But some MUAs (i.e. user's mail clients) do support SNI and will try to
match against the name that was entered into the configuration. This
might be important if you have many white label resellers who want
clients to be able to enter mail.<reseller's domain> into their
customers mail clients.
Firstly, SMTP TLS connections are typically unauthenticated, and
it does not matter which certificate the server presents, so no
need to have one that matches any particular name.
In the rare cases that authentication does take place through
the magic of MX record redirection a single MX host can support
multiple domains provided that it is the MX hostname and not the
target domain that the client authenticates. This is the case
with DANE.
https://tools.ietf.org/html/rfc7672#section-1.3
