On Mon, Apr 01, 2019 at 10:09:13PM +0300, Andrei Kovacs wrote:
> Thank you for your explanation, I've been able to configure the SNI
> functionality. Just one issue is left, but that's maybe for a further
> improvement of postfix: it would be nice if there were a "catch-all" entry
> in the SNI map table, like '* /path/to/cert.pem" or 'default
> /path/to/cert.pem', because otherwise there is no way of specifying a
> default certificate.
Actually, the default certificate chain is, as previously, the one
specified in main.cf. After all, many clients won't send SNI at
all, and many servers won't configure SNI support.
The reason to configure domains that use the default chain with an
explicitly SNI mapping to that chain, is to suppress warnings in
the logs about receiving SNI names that fail to match any entries
in the table. Such warnings can be useful to identify misconfigured
clients and servers. Setting up a widlcard default would completely
defeat the purpose of the mismatch logging.
--
Viktor.
