If we want to try and respect MTA-STS, when doing STARTTLS, the sender needs to send the right information in the TLS SNI (Server Name Inidication) extension. An MTA-STS-honoring SMTP client expects to validate the X.509 certificate of the receiving MTA, but that MTA might be known by a dozen names, unless the SNI is provided.
For example, if i'm trying to reach out to mail.example.biz but it happens to also serve mail.example.com on the same address at port 25, I definitely need to tell it which hostname i'm looking for, so that the server can offer me the mail.example.biz certificate instead of the mail.example.com certificate. Unfortunately, in postfix versions prior to 3.4 SNI is not sent. In postfix 3.4, the parameter 'smtp_tls_servername' was added. This is an *optional* parameter that sends the value to the remote SMTP server in the TLS SNI extension. However, the documentation seems to suggest that there could be problems with this parameter: http://www.postfix.org/postconf.5.html#smtp_tls_servername Some SMTP servers use the received SNI name to select an appropriate certificate chain to present to the client. While this may improve interoperability with such servers, it may reduce interoperability with other servers that choose to abort the connection when they don't have a certificate chain configured for the requested name. When in doubt, leave this parameter empty, and configure per-destination SNI as needed I'm wondering what this particular problem in the documentation is about. Does anyone have any statistics of how frequent of an occurrence this actually is, is it actually such a major problem that turning this on will cause significant issues? I'd like to enable this parameter, but I'm concerned that this might cause problems. Ideally, this parameter should be on by default, but this warning in the documentation seems to suggest there are some widely implemented problems that need to be uncovered and I'd like to find out more about what these are. It seems like if we wish to respect MTA-STS, we need to get servers who are doing this to stop doing this. We need to know what servers are doing this so we can get them to change. Does anyone want to get the gamification sites to add this test to their servers (mxtoolbox etc)? Or can people connect to all the servers you've connected to in the past, with SNI, and see if it aborts connections and then make a list that we can go harass to fix? -- micah
