> On Oct 19, 2016, at 1:22 PM, Viktor Dukhovni <[email protected]> wrote: > > >> On Oct 19, 2016, at 9:00 AM, Felipe Gasper <[email protected]> wrote: >> >> >> Exim’s approach is BEAUTIFUL for the purpose of separate certificates per >> domain. cPanel 11.60 just shipped with this support added. The great thing >> is that, unlike Apache or Dovecot, the mapping of domain to certificate is >> dynamic, not in a static list. For shared hosting environments, where each >> machine/VPS can serve tens of thousands of individual domains, this is a >> boon. >> >> I’d be fine with some facility to configure by-domain configs, logs, or what >> not in tandem with the certificate. Just as long as it’s still simple and >> easy to determine the certificate by the DOMAIN, not by served content. > > What's even more beautiful is using a single MX hostname for a boatload > of domains, with a single associated certificate. Works great for > domeneshop.no (serving over 100k DANE-enabled SMTP domains via 4 MX > hosts), and transip.nl (serving a similar number of domains), ... > > I am somewhat sympathetic to the desire for SNI on port 587, where > asking users to change settings is a bear, with port 25 SMTP, I've > yet to see a compelling reason for server-side SNI support. Do not > go there, unless your back's against the wall...
I’m probably missing something here … how do you get STARTTLS clients to accept/request the correct hostname for TLS when there is only one TLS-secured FQDN? -FG -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
