> On Oct 23, 2017, at 12:17 PM, Ivan Ristic <ivan.ris...@gmail.com> wrote:
>
> Not in practice. If you're not using vanity MX, it's obvious where the email
> is going.
Actually (ignoring for the moment the clear-text DNS query leak, which
DNSPRIV is supposed to address) the opposite is true. When sending email
without SNI to any of the domains below the TLS network traffic looks
largely the same (no leak of the recipient domain).
We can only make progress on the pros/cons of SNI for SMTP STS if we
can get the basic facts straight. The quoted text above is simply
wrong.
cleanis.nu. IN MX 0 cleanis-nu.mail.protection.outlook.com.
cleanis-nu.mail.protection.outlook.com. IN A 213.199.154.170
cleanis-nu.mail.protection.outlook.com. IN A 213.199.154.202
targetoo.co.uk. IN MX 0 targetoo-co-uk.mail.protection.outlook.com.
targetoo-co-uk.mail.protection.outlook.com. IN A 213.199.154.170
targetoo-co-uk.mail.protection.outlook.com. IN A 213.199.154.202
tib.nu. IN MX 0 tib-nu.mail.protection.outlook.com.
tib-nu.mail.protection.outlook.com. IN A 213.199.154.170
tib-nu.mail.protection.outlook.com. IN A 213.199.154.202
taberna.no. IN MX 10 taberna-no.mail.protection.outlook.com.
taberna-no.mail.protection.outlook.com. IN A 213.199.154.170
taberna-no.mail.protection.outlook.com. IN A 213.199.154.202
(IP addresses vary based on global DNS load balancers).
So SNI would add a privacy leak channel to SMTP TLS. The same
leak presently exists for the DNS MX lookup, but that's
cached, so made less frequently, and may be at some point
in part addressed via DPRIV.
--
Viktor.
