Re: [exim] SNI and DANE TLSA record monitoring

> On Oct 19, 2016, at 1:22 PM, Viktor Dukhovni <exim-users@???> wrote:
>
>
>> On Oct 19, 2016, at 9:00 AM, Felipe Gasper <felipe@???> wrote:
>>
>>
>> Exim’s approach is BEAUTIFUL for the purpose of separate certificates per domain. cPanel 11.60 just shipped with this support added. The great thing is that, unlike Apache or Dovecot, the mapping of domain to certificate is dynamic, not in a static list. For shared hosting environments, where each machine/VPS can serve tens of thousands of individual domains, this is a boon.
>>
>> I’d be fine with some facility to configure by-domain configs, logs, or what not in tandem with the certificate. Just as long as it’s still simple and easy to determine the certificate by the DOMAIN, not by served content.
>
> What's even more beautiful is using a single MX hostname for a boatload
> of domains, with a single associated certificate. Works great for
> domeneshop.no (serving over 100k DANE-enabled SMTP domains via 4 MX
> hosts), and transip.nl (serving a similar number of domains), ...
>
> I am somewhat sympathetic to the desire for SNI on port 587, where
> asking users to change settings is a bear, with port 25 SMTP, I've
> yet to see a compelling reason for server-side SNI support. Do not
> go there, unless your back's against the wall...

I’m probably missing something here … how do you get STARTTLS clients to accept/request the correct hostname for TLS when there is only one TLS-secured FQDN?

-FG