Amazing! Thanks! I’d request considering allowing the SNI to be enabled per port. While using it in production we found a very small number (<1%) of mail servers sending to our server didn’t like SNI- likely ancient mail servers. That said, we didn’t find any clients (outlook, phones, etc) that didn’t. At this time we run SNI on port 587 with all the certificates and port 25 is just the mail server name. I’d recommend making that setup an option for maximum compatibility, if possible.
As for the request for a use case someone mentioned, it’s based on a submission port (587). Hosting provider has machine1.hostingdomain.com machine2.hostingdomain.com and machine3.hostingdomain.com. One of their customers customerdomain.com comes on board with DNS changes and adds their mailboxes. Their employees don’t want to see Hostingdomain as their server name. Moreover, the customer needs more space and you move that customer from machine1 to machine2. You now need to update all clients. Instead the client uses mail.customerdomain.com and you can move them around independent of the server setup without impacting clients. Exim supports. Dovecot supports. It’s also the reality that we have servers with way more capacity these days and having another incoming hostname is not unthinkable. Sent from Yahoo Mail for iPhone On Thursday, January 25, 2018, 7:16 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Jan 25, 2018, at 5:52 PM, Bill Cole > <postfixlists-070...@billmail.scconsult.com> wrote: > >> I found this discussion circa 2015 ( >> http://postfix.1071664.n5.nabble.com/postfix-and-multiple-TLS-certificates-td80968.html >> ) which references the request, but it doesn't seem to have come into >> fruition. > > That thread also has explanations by Wietse & Viktor of why SNI for Postfix > is difficult both to justify and to safely implement. > >> This is not for outgoing SSL (which makes senses to come only from the >> server), or for incoming mail (which would go to the MX record in question) >> but for incoming mail submission, via SSL. The clients all support SNI, any >> recent version of OpenSSL supports SNI. >> Does postfix? > > No. I'm tentatively planning to start work on SNI for Postfix 3.4 in April... -- Viktor.
