No. That's not how ESNI works with the current draft, nor
how I guess it'll evolved. The TLS server (MTA in this case)
has to publish a key share and other stuff in the DNS for
ESNI to work and has to keep the DNS content and TLS server
config in-whack. So merely upgrading a library won't turn on
ESNI, it needs specific action from some admin-like being.
Ah, I should take another look. But I still don't think it matters
If an MTA acts for loads of domains on one IP address using
different certificates via ESNI where the names in those
certificates aren't easily mapped to other message content.
The cert names are tied to the MX which is tied to the recipient. If you
know the recipient, which you do in nearly every situation where there's
Received headers, game over regardless of how the SNI is communicated.
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for
Please consider the environment before reading this e-mail. https://jl.ly
ietf-smtp mailing list