It appears that @lbutlr <krem...@kreme.com> said: >On 2022 Feb 25, at 08:55, Viktor Dukhovni <postfix-us...@dukhovni.org> = >wrote: >> The moment TLS enters into the picture, you start to need much more >> complicated certificate management to get MUAs to see an acceptable >> certificate for its expected name on ports 587 and 465,
Also for STARTTLS on port 25 for SMTP clients. >Ah. Hmm. That does sound like a bit of a problem. > >What sort of complicated certificate management? When a client does a STARTTLS on a port 25 or 587 session, or at connection time on a port 465 session, the mail server sends back a certificate with the server name in it. If that name does not match the name the client is expecting, various bad things can happen ranging from a warning message in the mail log to dropping the connection if the server has a TLSA DNS record to identify the certificate, or you use mta-sts (see RFCs 8460 and 8461.) If your server has more than one name, there is a TLS feature called Server Name Indication or SNI in which the client sends the name it is looking for, and the server tries to find a certificate to match. Postfix has SNI support but it is not normally turned on, and it is your problem to get the actual certificates. Because I am that sort of person (as Viktor can confirm) I hacked SNI into my homebrew mail server, gave it a different MX name for each of the 100 domains it serves, and got 100 certificates from Let's Encrypt. It works for me but other than sometimes seeing that spambots have an odd idea of who they are talking to, I wouldn't necessarily recommend it for anyone else. R's, John
