[Top] [All Lists]

Re: RFC 3207 (STARTTLS) question

2005-08-23 11:39:46

On Mon, 22 Aug 2005, Claus Assmann wrote:

However, in some cases you don't want to speak to a particular
"personality" (virtual host) of a server but to several of them
because you figured out that <A(_at_)Z> and <B(_at_)Y> are both served by
the same host. This is one of the problems when I looked into
session reuse (as well as sending multiple RCPTs in a single
transaction): under which circumstances is it ok to do that?

This is why the distinction between hostnames and mail domains is
important. It is the *host* that you are talking to (not a mail domain) so
that is what a TLS cert should verify. That host should be prepared to
handle any recipient address at any mail domain for which it is the
advertised MX target, regardless of other recipients of the message or
other messages in the session. Virtual hosts, as in web server
terminology, usually don't make sense for email because MX records provide
the necessary indirection.

I will also add that failure to distinguish between hosts and the mail domains
they serve is often a significant source of confusion, even for experienced
operators. I've lost track of the number of customers problems that traced back
to this basic misunderstanding.

I always recommend using naming conventions to make the distinction clear.
Sadly, I often deal with existing large)deployments where naming
choices - sometimes extremely poor ones - are essentially cast in stone.


<Prev in Thread] Current Thread [Next in Thread>