On Wed, Jun 17, 2020 at 03:30:09PM -0400, Wietse Venema wrote:
> > Looking at the mail logs for my servers, it's pretty clear that
> > Postfix doesn't send SNI. I would also guess that if a Postfix MTA has
> > multiple names, it doesn't have any way to select a certificate using
> > SNI. This is not hard to fix; I added SNI support to the mailfront
> > SMTP daemon in a couple of hours. It took longer to get all the
> > certificates signed.
>
> Postfix will send SNI when it is told (by policy) what servername
> to use. It can be statically configured as smtp_tls_servername,
> or dynamically in an smtp_tls_policy_map lookup result with the
> servername attribute.
>
> There are several MTA-STS plugins for Postfix that provide that
> dynamic policy. It is not built into Postfix at this time, just
> like DKIM and a lot of other protocols.
See also the recent thread on SNI:
http://postfix.1071664.n5.nabble.com/Re-SNI-problem-the-client-side-td106457.html
The Postfix server needs to be:
* 3.4.x >= 3.4.13, or
* 3.5.x >= 3.5.3, or
* 3.6-YYYYMMDD >= 3.6-20200610
What Wietse said about the client settings, but see also:
http://postfix.1071664.n5.nabble.com/Re-SNI-problem-the-client-side-tp106457p106468.html
if you're a user of:
https://github.com/Snawoot/postfix-mta-sts-resolver
--
Viktor.
