On Mon, Jul 08, 2024 at 03:20:40PM +0200, Wolfgang via Exim-users wrote: > Hello,
> Why is exim not using SNI for every TLS connection, which got established? > SNI is helpful even far > away from DANE for message routing, multiplexing MX and other stuff. Historically, there wasn't a well-defined choice of SNI for an MX host of a domain. Should the SNI signal the destination domain or the MX hostname, or something else? Also, not all servers were prepared to handle SNI, and some could drop the connection for lack of an exact match. Since TLS with SMTP is otherwise (DANE aside) opportunistic, there is little reason to be picky and solicit a *particular* certificate. Perhaps the historical friction has abated, and it is now safe enough to use SNI, but historically it was not worth it. What's more the SNI name used with DANE may be different than the one one might choose with WebPKI (tlsa base domain involving a securely resolved CNAME chain). -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/