Yes. Its just a draft.The problem I see is if you send the following (assuming the following MX setup:)
Example: emailservice1.com MX smtp1.example.org emailservice2.com MX smtp1.example.org
Example SMTP transaction: 220 smtp1.example.org SMTP server ready EHLO senderdomain.com 250-senderdomain.com hello 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250-AUTH 250 HELP STARTTLS (encrypted transaction follows) MAIL FROM:<ad...@senderdomain.com> 250 Sender is okay RCPT TO:<recipie...@emailservice1.com> 250 Recipient accepted RCPT TO:<recipie...@emailservice2.com> 250 Recipient accepted DATA 354 Send message data, end with a . blah blah . 250 Message queued for delivery QUIT 250 Goodbye Disconnected from host.Which certificate should the server use for the encrypted transaction, even if we use SNI?
emailservice1.com or emailservice2.com?So there is the problem, and why there is a need to use the MX identity to tie the certificate to the server. To protect against modified MX data, DNSSEC has to be used instead.
-----Ursprungligt meddelande----- From: Michael Ströder
Sent: Tuesday, December 15, 2015 10:51 AM To: Sebastian Nielsen ; postfix-users@postfix.org Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed] Sebastian Nielsen wrote:
The certificate is normally validated against the MX name, not recipient domain.
Did you read the referenced I-D before replying? https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs-00#section-4.1.4.1 Ciao, Michael.
"Michael Ströder" <mich...@stroeder.com> skrev: (15 december 2015 10:12:56 CET)Viktor Dukhovni wrote:So, we've managed to hold off on offering SNI support for a decade since TLS was integrated into Postfix 2.2. I just wanted to see whether anyone still wanted it in Postfix, but perhaps if they really did they've moved on to other solutions.SNI is a prerequisite for implementing something like [1] if a host is MX for more than one recipient domain. Ciao, Michael. [1] https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs
smime.p7s
Description: S/MIME Cryptographic Signature