On Wed, Jun 17, 2020 at 03:30:09PM -0400, Wietse Venema wrote: > > Looking at the mail logs for my servers, it's pretty clear that > > Postfix doesn't send SNI. I would also guess that if a Postfix MTA has > > multiple names, it doesn't have any way to select a certificate using > > SNI. This is not hard to fix; I added SNI support to the mailfront > > SMTP daemon in a couple of hours. It took longer to get all the > > certificates signed. > > Postfix will send SNI when it is told (by policy) what servername > to use. It can be statically configured as smtp_tls_servername, > or dynamically in an smtp_tls_policy_map lookup result with the > servername attribute. > > There are several MTA-STS plugins for Postfix that provide that > dynamic policy. It is not built into Postfix at this time, just > like DKIM and a lot of other protocols.
See also the recent thread on SNI: http://postfix.1071664.n5.nabble.com/Re-SNI-problem-the-client-side-td106457.html The Postfix server needs to be: * 3.4.x >= 3.4.13, or * 3.5.x >= 3.5.3, or * 3.6-YYYYMMDD >= 3.6-20200610 What Wietse said about the client settings, but see also: http://postfix.1071664.n5.nabble.com/Re-SNI-problem-the-client-side-tp106457p106468.html if you're a user of: https://github.com/Snawoot/postfix-mta-sts-resolver -- Viktor.