If we want to try and respect MTA-STS, when doing STARTTLS, the sender needs to send the right information in the TLS SNI (Server Name Inidication) extension. An MTA-STS-honoring SMTP client expects to validate the X.509 certificate of the receiving MTA, but that MTA might be known by a dozen names, unless the SNI is provided.
For example, if i'm trying to reach out to mail.example.biz but it happens to also serve mail.example.com on the same address at port 25, I definitely need to tell it which hostname i'm looking for, so that the server can offer me the mail.example.biz certificate instead of the mail.example.com certificate. In some MTA implementations, such as Postfix 3.4, there is a parameter (smtp_tls_servername), which sends the value to the remote SMTP server in the TLS SNI extension. However, the documentation seems to suggest that there could be problems with this parameter: http://www.postfix.org/postconf.5.html#smtp_tls_servername Some SMTP servers use the received SNI name to select an appropriate certificate chain to present to the client. While this may improve interoperability with such servers, it may reduce interoperability with other servers that choose to abort the connection when they don't have a certificate chain configured for the requested name. When in doubt, leave this parameter empty, and configure per-destination SNI as needed Does anyone have any statistics of how frequent of an occurrence this actually is, is it actually such a major problem that turning this on will cause significant issues? It seems like Gmail does send SNI, likely unconditionally, since it attempts to negotiate TLS1.3, where SNI is expected. This suggests that it is likely safe to send SNI, but it would be good to find out. Those of you running MTAs, can you gather from your logs all the servers you've connected to in the past, and attempt to connect to them with SNI and collect those which abort connections, so we can find out what needs to change to make this parameter safe to enable? Does anyone have any contacts at any of the mail gamification sites that can add this check? If we wish to respect MTA-STS, we need to get servers who are doing this to stop doing this. Sorry for postfix-users, who have already heard this, I wanted to reach a wider audience. -- micah _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
