On Fri, Oct 11, 2019 at 08:02:32PM +0200, A. Schulze wrote: > that Gmail enabled SNI on their SMTP client is an indicator that using SNI > may not cause relevant trouble. But it's also known, Gmail is able to do > such stuff very selective to prevent damage.
Indeed I am not presently able to rule out that possibility, the question could be posed to the Gmail email engineering team directly, they probably know the answer. > In theory, an SMTP client, postfix smtp for example, could always try to > connect to a remote destination using SNI, log success or failure and > fallback to reconnect without SNI. That feels too complicated, how many permutations of TLS settings do you want Postfix to try when TLS handshakes fail? > Reading http://www.postfix.org/postconf.5.html#smtp_tls_servername give > me the impression one could set "smtp_tls_servername = hostname". That > would force the SMTP client to always send SNI. Yes, and one can set it empty in a per-destination policy for any hypothetical site that breaks as a consequence. -- Viktor.
