Re: [exim] Problem with tls_certificate and multiple domains

On Wed, Oct 16, 2019 at 04:05:51PM -0400, Viktor Dukhovni via Exim-users wrote:
> > On Oct 16, 2019, at 3:41 PM, Evgeniy Berdnikov via Exim-users <exim-users@???> wrote:
> >
> >> So, how do I configure exim so mail can still be accessed via tls and an account can be created without any complaints about certificates from Apple Mail?
> >
> > It sounds as problem is in your Mac Mail, because neither Exim no Dovecot
> > require specific host names for TLS (at least by default). So you should
> > configure your Mac Mail client to use exactly those DNS names for SMTP
> > and IMAP/POP3 that are exposed in server certificates.
>
> That's the simplest approach to implement server-side. Anything else
> requires complication provisioning of multiple certificate chains and
> SNI. The cost is that the IMAP and SUBMIT (outbound SMTP) servers have
> to be the same for all the domains, i.e. the mail clients need to be
> configured to use a fixed pair of server names, regardless of the
> user's mail domain.
>
> If you have many users, and require the flexibility to move their
> mail servers independently of each other, then you're forced to
> deploy SNI on any servers that handle more than one of these
> domains.
>
> Exim has supported SNI for a while. Correctly configured, it
> should work.

Agree. However, I do not know whether Mac Mail client mentioned above
sends SNI on TLS handshakes with MTA and mailbox access servers.
--
Eugene Berdnikov