If we want to try and respect MTA-STS, when doing STARTTLS, the sender
needs to send the right information in the TLS SNI (Server Name
Inidication) extension. An MTA-STS-honoring SMTP client expects to
validate the X.509 certificate of the receiving MTA, but that MTA might
be known by a dozen names, unless the SNI is provided.

For example, if i'm trying to reach out to mail.example.biz but it
happens to also serve mail.example.com on the same address at port 25, I
definitely need to tell it which hostname i'm looking for, so that the
server can offer me the mail.example.biz certificate instead of the
mail.example.com certificate.

Unfortunately, in postfix versions prior to 3.4 SNI is not sent. In
postfix 3.4, the parameter 'smtp_tls_servername' was added. This is an
*optional* parameter that sends the value to the remote SMTP server in
the TLS SNI extension.

However, the documentation seems to suggest that there could be problems
with this parameter:

http://www.postfix.org/postconf.5.html#smtp_tls_servername

        Some SMTP servers use the received SNI name to select an
        appropriate certificate chain to present to the client. While
        this may improve interoperability with such servers, it may
        reduce interoperability with other servers that choose to abort
        the connection when they don't have a certificate chain
        configured for the requested name. When in doubt, leave this
        parameter empty, and configure per-destination SNI as needed

I'm wondering what this particular problem in the documentation is
about. Does anyone have any statistics of how frequent of an occurrence
this actually is, is it actually such a major problem that turning this
on will cause significant issues?

I'd like to enable this parameter, but I'm concerned that this might
cause problems. Ideally, this parameter should be on by default, but
this warning in the documentation seems to suggest there are some widely
implemented problems that need to be uncovered and I'd like to find out
more about what these are.

It seems like if we wish to respect MTA-STS, we need to get servers who
are doing this to stop doing this.

We need to know what servers are doing this so we can get them to
change.

Does anyone want to get the gamification sites to add this test to their
servers (mxtoolbox etc)? Or can people connect to all the servers you've
connected to in the past, with SNI, and see if it aborts connections and
then make a list that we can go harass to fix?



-- 
        micah

Reply via email to