Re: SMTP SNI Support

Thu, 25 Jan 2018 14:53:59 -0800 

On 25 Jan 2018, at 16:17 (-0500), MK wrote:
There were some discussions in 2015 and more recently about SNI support. For IMAP/POP, dovecot (which allows SNI support) has a configuration like this in our setup: 
local_name imap.example.org {  ssl_cert = 
</etc/ssl/certs/imap.example.org.crt  ssl_key = 
</etc/ssl/private/imap.example.org.key}local_name imap.example2.org 
{  ssl_cert = </etc/ssl/certs/imap.example2.org.crt  ssl_key = 
</etc/ssl/private/imap.example2.org.key}

Moving from a perl-based SMTP server that allowed me to load multiple 
certificates, my clients all use mail.yourdomain.com:587 as their 
outgoing mail server. For the most part, a STARTTLS command is issued 
and the connection is upgraded to SSL. This has worked really well, 
with the end user needing to remember only mail.yourdomain.com for 
incoming and outgoing mail, and still getting SSL encryption.  Thus 
far, we've found every mail client has supported this method without 
any errors.

I found this discussion circa 2015 
http://postfix.1071664.n5.nabble.com/postfix-and-multiple-TLS-certificates-td80968.html ) 
which references the request, but it doesn't seem to have come into 
fruition.

That thread also has explanations by Wietse & Viktor of why SNI for 
Postfix is difficult both to justify and to safely implement.

This is not for outgoing SSL (which makes senses to come only from the 
server), or for incoming mail (which would go to the MX record in 
question) but for incoming mail submission, via SSL. The clients all 
support SNI, any recent version of OpenSSL supports SNI.

Does postfix? 

No.


If so how to configure?  If not, how to feature request this?

Provide a compelling argument for it to Wietse?


I don't understand why SNI for mail submission is something anyone wants 
to deploy instead of just giving all users just one hostname for 
submission and handling the housekeeping for just one certificate.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole






















					Reply via email to