On 16 October 2019 6:29:29 pm AEDT, Cyborg via Exim-users <exim-users@???> wrote:
>
>Nospam2k <nospam2k@???> (Mi 16 Okt 2019 08:05:05 CEST):
>>> Perhaps I should go about this a different way. I am going to be
>hosting multiple domains. Since it seems that $tls_in_sni is returning
>blank and/or can be unreliable, what is the best way to handle things?
>To just use a default domain for handling mail? For example, use
>mail.myhosting.com <http://mail.myhosting.com/> for everything instead
>of mail.mysite.com <http://mail.mysite.com/>?
>
>I can understand that you wanne use the domains own TLS Cert, but SMTP
>TLS isn't about authentity, it's about encryption.
>
>The cert, your mailserver presents, must match the name of the hostname
>your mailserver has and which he presents to others. It's 100% ok to
>use
>the hosts cert in TLS, as long as you have that name in your MX.
I don't think that SNI is remotely useful for mx traffic. Unless you're using dnssec you can't trust that a hostname appearing in an MX response is legitimate. If you're wanting to somehow tie the mail server to a legitimate certificate where it somehow reflects the recipient address then the only trustworthy value is the domain name of that address itself. For this reason a better option for authentication of mx records and mail servers is checking DANE/TLSA.
Where SNI becomes useful is for submission services. I believe many recent MUAs will send the server name extension in their TLS handshake to match what was added into the outgoing server setting. If this doesn't match then most will display a security warning similar to the way browsers do.
