On May 7, 2012, at 15:52, Fiona Hines wrote: > I understand now what you are referring to but you were assuming that I was > using STARTTLS, which was my mistake for not mentioning it. I'm not using > STARTTLS. The connection is encrypted from the beginning of the transaction. > STARTTLS was created as part of the standards for e-mail because SNI didn't > exist. SNI still isn't perfect but it allows for the encryption of the > connection to take place sooner for a variety of domains.
(People here appreciate it if you don't top post) I am pretty sure STARTTLS had nothing to do with virtual hosting, and that SNI was developed from a HTTP point of view, since that is where virtual hosting makes sense. If you have a legitimate business case for needing to allow several different hostnames that cannot be covered by using a wildcard certificate, have a look at multi-domain certificates. These do not require SNI on either server or client side, and work great when you need to merge or migrate servers, and do not want to update all connecting clients. Also, I think SMTPS over port 465 is generally considered deprecated, in favor of STARTTLS over port 25 or 587. If you do not want to allow unencrypted connections, simply run submission on port 587, and set the security level to 'encrypt'; http://www.postfix.org/postconf.5.html#smtpd_tls_security_level Cya, Jona
