On 16 October 2019 6:29:29 pm AEDT, Cyborg via Exim-users <exim-users@exim.org> wrote: > >Nospam2k <nospa...@gmail.com> (Mi 16 Okt 2019 08:05:05 CEST): >>> Perhaps I should go about this a different way. I am going to be >hosting multiple domains. Since it seems that $tls_in_sni is returning >blank and/or can be unreliable, what is the best way to handle things? >To just use a default domain for handling mail? For example, use >mail.myhosting.com <http://mail.myhosting.com/> for everything instead >of mail.mysite.com <http://mail.mysite.com/>? > >I can understand that you wanne use the domains own TLS Cert, but SMTP >TLS isn't about authentity, it's about encryption. > >The cert, your mailserver presents, must match the name of the hostname >your mailserver has and which he presents to others. It's 100% ok to >use >the hosts cert in TLS, as long as you have that name in your MX. I don't think that SNI is remotely useful for mx traffic. Unless you're using dnssec you can't trust that a hostname appearing in an MX response is legitimate. If you're wanting to somehow tie the mail server to a legitimate certificate where it somehow reflects the recipient address then the only trustworthy value is the domain name of that address itself. For this reason a better option for authentication of mx records and mail servers is checking DANE/TLSA. Where SNI becomes useful is for submission services. I believe many recent MUAs will send the server name extension in their TLS handshake to match what was added into the outgoing server setting. If this doesn't match then most will display a security warning similar to the way browsers do. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Problem with tls_certificate and multiple domains
Richard James Salts via Exim-users Wed, 16 Oct 2019 01:26:43 -0700
- Re: [exim] Problem with tls_certificate... Heiko Schlittermann via Exim-users
- Re: [exim] Problem with tls_certif... Heiko Schlittermann via Exim-users
- Re: [exim] Problem with tls_ce... Heiko Schlittermann via Exim-users
- Re: [exim] Problem with tl... Cyborg via Exim-users
- Re: [exim] Problem wit... Richard James Salts via Exim-users
- Re: [exim] Problem wit... Mike Tubby via Exim-users
- Re: [exim] Proble... Cyborg via Exim-users
- Re: [exim] Pr... Nospam2k via Exim-users
- Re: [exim... Evgeniy Berdnikov via Exim-users
- Re: [exim... Viktor Dukhovni via Exim-users
- Re: [exim... Evgeniy Berdnikov via Exim-users
- Re: [exim... Heiko Schlittermann via Exim-users
- Re: [exim... Cyborg via Exim-users
- Re: [exim... Viktor Dukhovni via Exim-users
- Re: [exim... Richard James Salts via Exim-users