On 25 Jan 2018, at 16:17 (-0500), MK wrote:
There were some discussions in 2015 and more recently about SNI
support.
For IMAP/POP, dovecot (which allows SNI support) has a configuration
like this in our setup:
local_name imap.example.org { ssl_cert =
</etc/ssl/certs/imap.example.org.crt ssl_key =
</etc/ssl/private/imap.example.org.key}local_name imap.example2.org
{ ssl_cert = </etc/ssl/certs/imap.example2.org.crt ssl_key =
</etc/ssl/private/imap.example2.org.key}
Moving from a perl-based SMTP server that allowed me to load multiple
certificates, my clients all use mail.yourdomain.com:587 as their
outgoing mail server. For the most part, a STARTTLS command is issued
and the connection is upgraded to SSL. This has worked really well,
with the end user needing to remember only mail.yourdomain.com for
incoming and outgoing mail, and still getting SSL encryption. Thus
far, we've found every mail client has supported this method without
any errors.
I found this discussion circa 2015
( http://postfix.1071664.n5.nabble.com/postfix-and-multiple-TLS-certificates-td80968.html )
which references the request, but it doesn't seem to have come into
fruition.
That thread also has explanations by Wietse & Viktor of why SNI for
Postfix is difficult both to justify and to safely implement.
This is not for outgoing SSL (which makes senses to come only from the
server), or for incoming mail (which would go to the MX record in
question) but for incoming mail submission, via SSL. The clients all
support SNI, any recent version of OpenSSL supports SNI.
Does postfix?
No.
If so how to configure? If not, how to feature request this?
Provide a compelling argument for it to Wietse?
I don't understand why SNI for mail submission is something anyone wants
to deploy instead of just giving all users just one hostname for
submission and handling the housekeeping for just one certificate.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
