No. That's not how ESNI works with the current draft, nor how I guess it'll evolved. The TLS server (MTA in this case) has to publish a key share and other stuff in the DNS for ESNI to work and has to keep the DNS content and TLS server config in-whack. So merely upgrading a library won't turn on ESNI, it needs specific action from some admin-like being.
Ah, I should take another look. But I still don't think it matters because ...
If an MTA acts for loads of domains on one IP address using different certificates via ESNI where the names in those certificates aren't easily mapped to other message content.
The cert names are tied to the MX which is tied to the recipient. If you know the recipient, which you do in nearly every situation where there's Received headers, game over regardless of how the SNI is communicated.
Regards, John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
