I understand now what you are referring to but you were assuming that I was using STARTTLS, which was my mistake for not mentioning it. I'm not using STARTTLS. The connection is encrypted from the beginning of the transaction. STARTTLS was created as part of the standards for e-mail because SNI didn't exist. SNI still isn't perfect but it allows for the encryption of the connection to take place sooner for a variety of domains.
- Fiona ________________________________ From: Peter <pe...@pajamian.dhs.org> To: postfix-users@postfix.org Sent: Monday, May 7, 2012 12:02 AM Subject: Re: TLS SNI support? On 07/05/12 18:46, Fiona Hines wrote: > That won't work for me. SNI support is the only solution for my > scenario sinceI can't use just one SSL certificate. I haven't used > Google Apps to know what you are talking about. I used google apps as an example of a provider that services what probably amounts to tens or hundreds of thousands of domains for email, and they do it all with one SSL certificate with only a single common name. smtp is not http and it does not work the same, you simply do not need to have a separate SSL certificate for every domain you host, one certificate will work for everything. > And I've got a feeling that the "250 response" part of your reply is > just wrong - which 250 response? Certificates are validated by clients > during the handshake and the connection is terminated if the > verification step fails. That happens long before even the SMTP banner > is emitted. I meant 220 greeting which happens before the STARTTLS command that initiates the TLS handshaking. There is also a 250 (plain text) response after the initial EHLO or HELO that also occurs before initiation of the TLS handshaking. I think you need to have a good read of: http://www.postfix.org/TLS_README.html Peter