Re: [exim-dev] [Bug 2266] New: TLS SNI should default set

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: admin--- via Exim-dev
Subject: Re: [exim-dev] [Bug 2266] New: TLS SNI should default set


> On Apr 17, 2018, at 4:17 PM, admin--- via Exim-dev <exim-dev@???> wrote:
>
> Handling for DANE should be in issue 2265. DANE should stop using the tls_sni
> SMTP Transport option and DANE handling is not in-scope for _this_ tracking
> bug.
>
> IMO tls_sni should default to $domain, which requires disabling multi_domain by
> default.


Not sure what you mean by "$domain", but the DANE SNI *must* be the TLSA
base domain, which is typically the MX hostname (but sometimes its full
CNAME expansion). It is only the nexthop domain when the domain has no
MX records (implicit MX) or an explicit MX whose name is the domain itself.

Thus for:

    example.net. IN MX 0 smtp.example.net.
    smtp.example.net. IN A 192.0.2.1
    _25._tcp.smtp.example.net. IN TLSA 3 1 1 ...


the SNI value must be "smtp.example.net" not "example.net".
The SMTP server must not abort the handshake when it finds
no matching certificate, rather it must select some
appropriate default chain.

-- 
    Viktor.