"A. Schulze" <[email protected]> writes: > micah anderson: > >> If we want to try and respect MTA-STS, when doing STARTTLS, the sender >> needs to send the right information in the TLS SNI (Server Name >> Inidication) extension. An MTA-STS-honoring SMTP client expects to >> validate the X.509 certificate of the receiving MTA, but that MTA might >> be known by a dozen names, unless the SNI is provided. > > I don't fully understand the value of SNI for MTA-to-MTA communication, > but that's an other problem.
As I wrote in the initial email, if i'm trying to reach out to mail.example.biz but it happens to also serve mail.example.com on the same address at port 25, I definitely need to tell it which hostname i'm looking for, so that the server can offer me the mail.example.biz certificate instead of the mail.example.com certificate. > I suggest to look at > https://github.com/Snawoot/postfix-mta-sts-resolver I am aware of that, but I'm not asking specifically how to implement this, I'm more trying to find out what really is the concern here with enabling this, and what we need to do to fix that. -- micah
