On Fri, Oct 11, 2019 at 08:02:32PM +0200, A. Schulze wrote:

> that Gmail enabled SNI on their SMTP client is an indicator that using SNI
> may not cause relevant trouble.  But it's also known, Gmail is able to do
> such stuff very selective to prevent damage.

Indeed I am not presently able to rule out that possibility, the
question could be posed to the Gmail email engineering team directly,
they probably know the answer.

> In theory, an SMTP client, postfix smtp for example, could always try to
> connect to a remote destination using SNI, log success or failure and
> fallback to reconnect without SNI.

That feels too complicated, how many permutations of TLS settings
do you want Postfix to try when TLS handshakes fail?

> Reading http://www.postfix.org/postconf.5.html#smtp_tls_servername give
> me the impression one could set "smtp_tls_servername = hostname". That
> would force the SMTP client to always send SNI.

Yes, and one can set it empty in a per-destination policy for
any hypothetical site that breaks as a consequence.

-- 
        Viktor.

Reply via email to