Re: [exim] SNI and DANE TLSA record monitoring

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MFelipe Gasper at <-
MMMViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] SNI and DANE TLSA record monitoring
On 19/10/16 19:02, Felipe Gasper wrote:
> I’m probably missing something here … how do you get STARTTLS clients to accept/request the correct hostname for TLS when there is only one TLS-secured FQDN?

There is no necessary connection between the hostname of either an MX
or an MSA for a domain.

The one is found using DNS MX lookups, the other either by static
configuration of the MUA or by DNS SRV lookups.

Use of TLS is neither here nor there, in finding the right host
to contract. One might prefer to have a server certificate
with a CN or SAN that matches its name in the DNS, if using
TLS, for authentication (assuming a shared trust-anchor),
but even that is independent of having encryption.
--
Cheers,
Jeremy



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] SNI and DANE TLSA record monitoringRe: [exim] SNI and DANE TLSA record monitoring->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)