micah anderson:
If we want to try and respect MTA-STS, when doing STARTTLS, the sender needs to send the right information in the TLS SNI (Server Name Inidication) extension. An MTA-STS-honoring SMTP client expects to validate the X.509 certificate of the receiving MTA, but that MTA might be known by a dozen names, unless the SNI is provided.
I don't fully understand the value of SNI for MTA-to-MTA communication, but that's an other problem. I suggest to look at https://github.com/Snawoot/postfix-mta-sts-resolver ... Andreas
