On 2021-10-07, Felipe Gasper felipe@felipegasper.com wrote:
On Oct 7, 2021, at 7:47 PM, Benny Pedersen me@junc.eu wrote:
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.
It also pre-dates some large mail services requiring SNI, mostly as a result of this client support for SNI is much better now.
One benefit of doing this is that horizontal scaling can be done by moving entire domains to another server and repointing DNS, that way neither a protocol-level proxy nor client config changes are needed. It's not suitable for every mail service but there are credible reasons to use SNI here.