[exim] Re: no SNI used, when sending TLS secured messages ou…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni via Exim-users
Date:  
To: exim-users
Subject: [exim] Re: no SNI used, when sending TLS secured messages out
On Mon, Jul 08, 2024 at 03:20:40PM +0200, Wolfgang via Exim-users wrote:
> Hello,


> Why is exim not using SNI for every TLS connection, which got established? SNI is helpful even far
> away from DANE for message routing, multiplexing MX and other stuff.


Historically, there wasn't a well-defined choice of SNI for an MX host
of a domain. Should the SNI signal the destination domain or the MX
hostname, or something else?

Also, not all servers were prepared to handle SNI, and some could drop
the connection for lack of an exact match. Since TLS with SMTP is
otherwise (DANE aside) opportunistic, there is little reason to be picky
and solicit a *particular* certificate. Perhaps the historical friction
has abated, and it is now safe enough to use SNI, but historically it
was not worth it.

What's more the SNI name used with DANE may be different than the one
one might choose with WebPKI (tlsa base domain involving a securely
resolved CNAME chain).

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/