Re: [exim] MTA-STS and Server Name Indication (SNI) on mail …

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] MTA-STS and Server Name Indication (SNI) on mail servers
On Wed, Jun 17, 2020 at 06:22:28PM -0400, Phil Pennock via Exim-users wrote:

> I keep mentally thinking that we're setting this automatically when DANE
> is in play but it looks like we never got around to that. Ah, I stopped
> relying on fallible memory and filed a bug about it:
> <https://bugs.exim.org/show_bug.cgi?id=2265>
> and we paused on "if we flat-out ignore the configured value for DANE,
> we lose flexibility" ... but I suspect we should go ahead and flat-out
> ignore it, as we do for several other TLS options once DANE is in play.


Thanks for bringing this up. Indeed for DANE it is essential to ignore
any statically configured value and use the "TLSA base domain".
Otherwise, the cert chain you get may well not be the one promised in
the TLSA records.

Postfix ignores the static SNI setting, when doing DANE. Exim needs
to do the same. The required SNI name is specified in RFC7672 (and/or
RFC7671), and should not be second-guessed.

-- 
    Viktor.