Re: [exim] SNI and DANE TLSA record monitoring

Pàgina inicial
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
A: exim users
Assumpte: Re: [exim] SNI and DANE TLSA record monitoring

> On Oct 19, 2016, at 9:00 AM, Felipe Gasper <felipe@???> wrote:
>
>
> Exim’s approach is BEAUTIFUL for the purpose of separate certificates per domain. cPanel 11.60 just shipped with this support added. The great thing is that, unlike Apache or Dovecot, the mapping of domain to certificate is dynamic, not in a static list. For shared hosting environments, where each machine/VPS can serve tens of thousands of individual domains, this is a boon.
>
> I’d be fine with some facility to configure by-domain configs, logs, or what not in tandem with the certificate. Just as long as it’s still simple and easy to determine the certificate by the DOMAIN, not by served content.


What's even more beautiful is using a single MX hostname for a boatload
of domains, with a single associated certificate. Works great for
domeneshop.no (serving over 100k DANE-enabled SMTP domains via 4 MX
hosts), and transip.nl (serving a similar number of domains), ...

I am somewhat sympathetic to the desire for SNI on port 587, where
asking users to change settings is a bear, with port 25 SMTP, I've
yet to see a compelling reason for server-side SNI support. Do not
go there, unless your back's against the wall...


-- 
    Viktor.