> On Apr 19, 2018, at 1:31 PM, David Benjamin <[email protected]> wrote:
>
> Consequently, opportunistic SMTP clients (or those using mandatory TLS, but
> without
> DANE where the SNI value is still a guessing game we did not play) won't get
> TLS 1.3, until they start to make up some sort of SNI name.
>
> I'm not sure I follow this. Why is the SNI value a guessing game? The client
> that does not verify the certificate does not care what certificate it gets.
> (This is why we still send something, rather than close the connection.) The
> client that does verify a certificate, whether or not failures are fatal,
> does not need to guess: use the name that is being verified.
There is no "the name that is being verified". The Postfix SMTP client accepts
multiple (configurable as a set) names for the peer endpoint. This may be the
next-hop domain or the MX hostname, or a sub-domain wildcard, or some fixed
hardcoded-name, or a mixture of these...
--
Viktor.
_______________________________________________
openssl-project mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-project
