Re: [exim] Problem with tls_certificate and multiple domains

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] Problem with tls_certificate and multiple domains
Am 17.10.19 um 00:17 schrieb Viktor Dukhovni via Exim-users:
>
>> You will never know what to provide, as the servername is part of the
>> initial greeting HELO. Your setup will fail every time, because it's too
>> late when you find out what to use. See below why .
> This is false, neither the name in the 220 greeting (banner) nor
> the initial line of the EHLO response does not preclude the server
> from presenting a different name in its certificate, possibly based
> on SNI.


SMTP:

CONNECTED(00000003)
220 mail.server.de ESMTP Exim 4.92.3 Thu, 17 Oct 2019 10:18:20 +0200
EHLO mail.example.com
250-mail.server.de Hello muedsl-82-207-210-124.citykom.de [82.207.210.124]
...
STARTTLS
220 TLS go ahead

There is no way to figure out what to write in the 220 greeting, except
you have multiply ips on your server and each ip stands for a different
server.
Thats how it worked before SNI was introduced back in 1999 and why SNI
is such an improvement for SSL/TLS.

Nothing else was written above.

>>
> False, only MTAs look at MX records, IMAP clients and SUBMIT clients
> do not.

A "client" may not have the need to do it, thats true.
>> And if you can't find out, why your mailclient uses a specific name as
>> server, check the autodiscover result for the domain,
>> you may find a hardcoded servername there.
> For all but the largest email providers (Google, Microsoft, ...),
> there is little use of "autodiscover", the user fills in the IMAP
> and SMTP server names. The closest to that is:
>


Thanks, didn't know that i already play in the big league :)  I'm sorry
to disappoint you, but if autodiscover isn't working proper, you will be
in a lot of trouble, if you provide mailservices to more than a handful
of your friends. And just for Outlook alone, you have to offer 3
different versions, thanks to (insert higher authority of choice here),
most of the clients use mozillas AD protocol.

Autodiscover (via http) really helps to make it easier for the masses
and anyone, who is offering mail services, should implement the basic
methods for it.

Best regards,
Marius