https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #2 from Phil Pennock <[email protected]> --- DANE requires that SNI point to the MX hostname, to make it easier to manage mass-hosting. This is a good stance but requires DNSSEC to be safe. The hostname to be verified in a certificate should be the hostname from SNI and without DNSSEC, that would mean verifying a potentially-tampered-with hostname. The name to be verified must always have a trustworthy path back to user input. We _could_ auto-switch to MX for DNSSEC, not just for DANE, but that adds more scenarios and IMO it's better to reduce to "DANE vs non-DANE". Thus for the non-DANE case we should stick to $domain by default, if picking a default, else something from per-site configuration of OOB configuration for some domains. That's being addressed in 2266. In a world pre-DANE, SNI is pointless because there's no certificate verification performed. If you're not going to verify, why set a name to select a certificate? It's only because TLS 1.3 _mandates_ SNI if not explicitly countered in an application profile, and I can't be bothered to spend three years fighting under-informed people to push through an application profile for SMTP MX delivery matching reality rather than idealism, that I'm shrugging and picking "something" for SNI in 2266. For submissions/submission+starttls the use of SNI for key/certificate selection makes a lot of sense. For a DANE world it could make sense in the future. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
