On 1/9/19 6:22 AM, John Levine wrote:
In article <CANtKdUee4d=bexpAUj-9+qGLO1ght=h-0xomuxv-k+brm3h...@mail.gmail.com>
you write:
I think this is hard. You probably could get a single cert with SANs for
all of your 80 domains, or one for each new domain, but you will have to
figure out how to automate this (and I guess use SNI to pick the right cert
on the server side--note that the RFC does require SMTP clients to support
SNI, so as to enable this).
I use the standard gnutls library which supports SNI, so I suppose I
could put 80 certs into a folder and pick out the right one. I wonder
how many SMTP clients send the name they expect -- until STS came
along there was no expectation that the name the client used matches
the cert. I can certainly write a stunt https server that invents a
suitable policy document on the fly,
The larger issue is that this is the same unfortunate road that SPF
and DMARC went down. Oh, our magic bullet can't handle your totally
standard but slightly unsusual setup, so we will retroactively redefine
it as broken.
If MTA-STS isn't suited for you then just use DANE. It's better (IMHO)
anyway.
Seems many MTA clients do not query OCSP servers so DANE is going to be
more secure in the event of a private key compromise.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
