Even if this isn't a big leak, I think it's still worth preserving
a way in which SNIs don't leak - if the TLS client and server and
TLS client's DNS setup (and maybe the TLS server's too) are all
such that we've not leaked the SNI in any of those places then I
think we're better off if we can avoid leaking it here.
Since this is mail, I would expect that in the vast majority of cases, the
SNI will be the host name in the MX record of the recipient's domain,
which the recipient already knows. It's not like the web where requests
can come unsolicited from anywhere. If a domain has multiple MXes, the IP
address of the mail server is already in the Received header so it's not
hard to triangulate. The main thing the SNI clause tells you is whether
the client used SNI at all.
We could have a larger discussion about redacting SMTP trace headers, but
not in this tiny I-D, please.
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
ietf-smtp mailing list