https://bugs.exim.org/show_bug.cgi?id=2265
--- Comment #2 from Phil Pennock <pdp@???> ---
DANE requires that SNI point to the MX hostname, to make it easier to manage
mass-hosting. This is a good stance but requires DNSSEC to be safe. The
hostname to be verified in a certificate should be the hostname from SNI and
without DNSSEC, that would mean verifying a potentially-tampered-with hostname.
The name to be verified must always have a trustworthy path back to user input.
We _could_ auto-switch to MX for DNSSEC, not just for DANE, but that adds more
scenarios and IMO it's better to reduce to "DANE vs non-DANE".
Thus for the non-DANE case we should stick to $domain by default, if picking a
default, else something from per-site configuration of OOB configuration for
some domains. That's being addressed in 2266.
In a world pre-DANE, SNI is pointless because there's no certificate
verification performed. If you're not going to verify, why set a name to
select a certificate? It's only because TLS 1.3 _mandates_ SNI if not
explicitly countered in an application profile, and I can't be bothered to
spend three years fighting under-informed people to push through an application
profile for SMTP MX delivery matching reality rather than idealism, that I'm
shrugging and picking "something" for SNI in 2266.
For submissions/submission+starttls the use of SNI for key/certificate
selection makes a lot of sense. For a DANE world it could make sense in the
future.
--
You are receiving this mail because:
You are on the CC list for the bug.
