> On Oct 11, 2019, at 10:19 AM, micah anderson <mi...@riseup.net> wrote:
>
> I am aware of that, but I'm not asking specifically how to implement
> this, I'm more trying to find out what really is the concern here with
> enabling this, and what we need to do to fix that.
The concern is as stated, we don't know what remote MTAs will do if
they receive an unexpected SNI. You can try it I guess, and see
what happens.
One way to hedge your bets is to use the "servername" field in
per-destination TLS policies, but otherwise leave SNI disabled.
Since you probably need a policy service anyway to emulate MTA-STS
in Postfix, that policy service can also return "servername=hostname".
--
Viktor.
