OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: TLS SNI support

listsrhsoft.net
Date: Fri Nov 07 2014 - 00:11:59 CST


Am 07.11.2014 um 02:52 schrieb Peter:
> On 11/07/2014 11:35 AM, Sven Köhler wrote:
>> I don't have the option to buy one IP per hostname that I want to
>> support. As we all know, IPv4 addresses are expensive as they are not
>> many of them left.
>
> The current best practice method in dealing with this is is you just
> have one hostname for submission (smtp.provider.tld) instead of one per
> domain, then everyone is instructed to use the one domain for submission
> (and likely for fetching email via IMAP as well, but that's off-topic
> for postfix)

and it is smart do it that way

other than for webservers you have not different contents for different
hostnames but mandatory user authentication - so why waste time and
money dealing with different hostnames and certificates?

even a multi-domain certificate is a nightmare when you get new domains
and need to replace it every time and even if SNI would be supported you
likely will not have much luck with client support (and no users don't
use up-to-date software all the time - sad but true)

until now nobody was able to tell me any benefit of multiple server
names for a mailserver instead 1 hostname, 1 certificate and 1 PTR
matching the A-record and HELO name with 100, 200, 300, 500 MX records
in different domains pointing there