On Wed, Jun 17, 2020 at 04:20:00PM -0400, John Levine wrote:
> In article <49nfx174fgzj...@spike.porcupine.org> you write:
> >Postfix will send SNI when it is told (by policy) what servername
> >to use. It can be statically configured as smtp_tls_servername,
> >or dynamically in an smtp_tls_policy_map lookup result with the
> >servername attribute.
>
> I meant in the other direction -- you can't tell if someone else's
> mail server has more than one name, so the SMTP client should send
> SNI.
There's certainly no point in bothering with unauthenticated TLS
(security level "may" or "encrypt"), since we ignore the certificate in
any case. With DANE, SNI is sent unconditionally, and with "verify" (or
its conjoined twin "secure") you get to decide by setting
"smtp_tls_servername".
> Looking at the man page it appears that client SNI is tied to DANE
> which is not a great idea since the point of MTA-STS is to do server
> name verification without needing DNSSEC.
You're not reading all the relevant docs. They may not always be in one
place, sorry about that.
http://www.postfix.org/postconf.5.html#smtp_tls_servername
What that says is that with the *default* empty setting of the parameter
SNI is not sent except with DANE. When the parameter is NOT empty, and
the security level is not DANE-based, the specified (non-empty) SNI name
is sent.
Therefore, sufficient support for SNI to enable MTA-STS plugins is available:
tls_policy:
example.com secure
servername=hostname
match=mx1.example.com
match=mx2.example.com
match=mx3.example.com
There is no built-in MTA-STS support.
--
Viktor.
