Re: [exim] MTA-STS and Server Name Indication (SNI) on mail …

Top Page
Delete this message
Reply to this message
Author: Felipe Gasper
Date:  
To: exim users
CC: Viktor Dukhovni
Subject: Re: [exim] MTA-STS and Server Name Indication (SNI) on mail servers

> On Jun 17, 2020, at 8:17 PM, Viktor Dukhovni via Exim-users <exim-users@???> wrote:
>
> However, its use is recommended:
>
>    https://tools.ietf.org/html/rfc8446#section-4.4.2.2

>
>    -  The "server_name" [RFC6066] and "certificate_authorities"
>       extensions are used to guide certificate selection.  As servers
>       MAY require the presence of the "server_name" extension, clients
>       SHOULD send this extension, when applicable.


The recommendation is contextual to cases “when applicable”. This is significant because in applications where the server ignores the extension it’s arguably counterproductive to send it since it discloses the hostname that the client intends to hit. Thus it seems that if the server ignores the extension, it’s better NOT to send it--at least until encrypted SNI becomes practical.

-FG