From 7cd1ad0fbe9bc84ab03fac6cf6d1c8d28dcc018a Mon Sep 17 00:00:00 2001
From: Dennis Baaten <dennis@baaten.com>
Date: Thu, 1 Aug 2019 00:16:05 +0200
Subject: [PATCH] Added information of SNI to "tips and tricks" section

---
 DANE-for-SMTP-how-to.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md
index 6c4c3d2..5d1dbe5 100644
--- a/DANE-for-SMTP-how-to.md
+++ b/DANE-for-SMTP-how-to.md
@@ -138,6 +138,7 @@ This section describes several pionts for attention when implementing DANE for S
 * Roll-over scheme "current + next" gives less flexibility but the highest form of certainty, because of "tight pinning".
 * Implement monitoring of your DANE records to be able to detect problems as soon as possible. 
 * Make sure your implementation supports the usage of a CNAME in your MX record. There are some inconsistencies between multiple RFC's. According to [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) a CNAME in MX records is not allowed, while [RFC 7671](https://tools.ietf.org/html/rfc7671#section-7) and [RFC 5321](https://tools.ietf.org/html/rfc5321#section-5.1) imply that the usage of a CNAME in MX records is allowed.
+* Using Server Name Indication (SNI) in an e-mail environment (for matching the certificate offered by a recieving e-mail server) is only usefull when DANE and DNSSEC are used. DNSSEC to perform a reliable MX lookup and DANE to verify the authenticity of the certificate. Sending e-mail servers (the TLS client) usually don't use SNI, because some receiving e-mail servers (the TLS server) cannot handle this; in some cases the setting up of a TLS connection fails. For more information see [RFC 7672 section 8.1](https://tools.ietf.org/html/rfc7672#section-8.1) and [this blogpost by Filippo Valsorda](https://blog.filippo.io/the-sad-state-of-smtp-encryption/). 
 
 # Inbound e-mail traffic (publishing DANE DNS records)
 This part of the how-to describes the steps that should be taken with regard to your inbound e-mail traffic, which primairily involves publishing DANE DNS records. This enables other parties to use DANE for validating the certificates offered by your e-mail servers.