> On Mar 23, 2017, at 10:03 AM, Mark Constable <ma...@renta.net> wrote:
>
> On 23/03/17 23:06, Viktor Dukhovni wrote:
>>> is it possible to setup separate SSL certificates for an each virtual
>>> domain ?
>>
>> The Postfix smtpd(8) service does not support SNI-based certificate
>> selection. And this is not needed. Just point all the virtual domains
>> at a common MX host with a single certificate.
>
> That is not an appropriate answer for my clients who are paying me to
> provide them with their own domain identity at a time when it's almost
> impossible to get reasonable sized blocks of IPv4 networks.
That answer was for the port 25 inbound MX relay host, which can be
changed by updating MX records without any interaction with the users.
You have to decide what to tell your clients, I am just letting *you*
know what Postfix provides in this space. SNI is largely a non-issue
for MX hosting. The story is different for MSA hosting...
> SNI is a real
> thing. Dovecot does it, Courier-MTA fully supports SNI on all protocols
> and MUAs will work with SNI.
I am well aware of what SNI is for and how it is used. This question has
been asked before on this list, you can search the archives for previous
answers.
> It absolutely insulates hosting clients from having to change their SMTP
> server settings when the hosting provider can make the necessary network
> adjustments. If that single MX host has to change (ISP buy out or whatever)
> then all clients have to make a mail server setting change, if the provider
> had the option of using SNI then the clients "vanity" mail server domain
> settings can remain unchanged.
You are conflating MX hosts with MSAs. Users don't configure their MUAs
to talk to MX hosts. Sadly, despite RFC 6186, most MUAs do not do SRV
record lookups, and doing so securely would require ubiquitous DNSSEC,
with no barriers to access at hotel networks, airports and other captive
portals. That's still many years away...
> The only valid reason for not using SNI is when a virtual domain must have
> a PTR record but a PTR is not always required, for e.g. a Wordpress site
> sending out notifications. Even so, the provider can switch a virtual domain
> between SNI and a dedicated IP without the client having to make any changes.
As I said, there is a legitimate use-case for SNI support in the port 587
submission service, but Postfix does not at present have the requisite
feature. Sorry about that.
--
Viktor.
