> On Jan 25, 2018, at 9:30 PM, MK <ph...@rogers.com> wrote:
>
> I’d request considering allowing the SNI to be enabled per port.
Each port gets its own entry in master.cf, so you will certainly
be able to enable or disable SNI support for a given TCP endpoint.
> While using it in production we found a very small number (<1%) of mail
> servers
> sending to our server didn’t like SNI- likely ancient mail servers.
This is rather intriguing... How would they even know you had SNI?
The effect of SNI is present a certificate selected on the basis
of the supplied hostname hint. Otherwise, everything looks exactly
the same, so it is hard to imagine how said servers "didn't like" SNI.
Perhaps your server responded to some unexpected SNI names by aborting
the TLS handshake? Postfix won't do that. For SNI names that don't
have a matching configuration, Postfix will respond with a default
certificate, it'll be up to the client to either accept that or not.
--
Viktor.
