Re: [exim] Problem with tls_certificate and multiple domains

[Richard James Salts via Exim-users]

On 16 October 2019 6:29:29 pm AEDT, Cyborg via Exim-users <exim-users@exim.org> 
wrote:
>
>Nospam2k <nospa...@gmail.com> (Mi 16 Okt 2019 08:05:05 CEST):
>>> Perhaps I should go about this a different way. I am going to be
>hosting multiple domains. Since it seems that $tls_in_sni is returning
>blank and/or can be unreliable, what is the best way to handle things?
>To just use a default domain for handling mail? For example, use
>mail.myhosting.com <http://mail.myhosting.com/> for everything instead
>of mail.mysite.com <http://mail.mysite.com/>?
>
>I can understand that you wanne use the domains own TLS Cert, but SMTP
>TLS isn't about authentity, it's about encryption.
>
>The cert, your mailserver presents, must match the name of the hostname
>your mailserver has and which he presents to others. It's 100% ok to
>use
>the hosts cert in TLS, as long as you have that name in your MX.

I don't think that SNI is remotely useful for    mx traffic. Unless you're 
using dnssec you can't trust that a hostname appearing in an MX response is 
legitimate. If you're wanting to somehow tie the mail server to a legitimate 
certificate where it somehow reflects the recipient address then the only 
trustworthy value is the domain name of that address itself. For this reason a 
better option for authentication of mx records and mail servers is checking 
DANE/TLSA.

Where SNI becomes useful is for submission services. I believe many recent MUAs 
will send the server name extension in their TLS handshake to match what was 
added into the outgoing server setting. If this doesn't match then most will 
display a security warning similar to the way browsers do. 

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/