This PR resolves RFC 8461 incompliance spotted by Ján Máté: in order to comply with standard MTA-STS-enabled server has to use SNI extension in it's TLS dialouts. Necessary support for SNI was introduced in Postfix 3.4+ and older version do not support options which require SNI.
So this PR contains breaking change which makes SNI requirement default, but leaves config option to resort to old behavior.
Essential steps taken
Practical changes happened in code:
Added require_sni option in zone config which causes STS responder to add servername=hostname keyword to it's policy responses.
Purpose of proposed changes
This PR resolves RFC 8461 incompliance spotted by Ján Máté: in order to comply with standard MTA-STS-enabled server has to use SNI extension in it's TLS dialouts. Necessary support for SNI was introduced in Postfix 3.4+ and older version do not support options which require SNI.
So this PR contains breaking change which makes SNI requirement default, but leaves config option to resort to old behavior.
Essential steps taken
Practical changes happened in code:
require_sni
option in zone config which causes STS responder to addservername=hostname
keyword to it's policy responses.require_sni
option by default.