> On Oct 23, 2017, at 12:17 PM, Ivan Ristic <[hidden email]> wrote:
> Not in practice. If you're not using vanity MX, it's obvious where the email
> is going.
Actually (ignoring for the moment the clear-text DNS query leak, which
DNSPRIV is supposed to address) the opposite is true. When sending email
without SNI to any of the domains below the TLS network traffic looks
largely the same (no leak of the recipient domain).
We can only make progress on the pros/cons of SNI for SMTP STS if we
can get the basic facts straight. The quoted text above is simply
cleanis.nu. IN MX 0 cleanis-nu.mail.protection.outlook.com.
cleanis-nu.mail.protection.outlook.com. IN A 184.108.40.206
cleanis-nu.mail.protection.outlook.com. IN A 220.127.116.11
targetoo.co.uk. IN MX 0 targetoo-co-uk.mail.protection.outlook.com.
targetoo-co-uk.mail.protection.outlook.com. IN A 18.104.22.168
targetoo-co-uk.mail.protection.outlook.com. IN A 22.214.171.124
tib.nu. IN MX 0 tib-nu.mail.protection.outlook.com.
tib-nu.mail.protection.outlook.com. IN A 126.96.36.199
tib-nu.mail.protection.outlook.com. IN A 188.8.131.52
taberna.no. IN MX 10 taberna-no.mail.protection.outlook.com.
taberna-no.mail.protection.outlook.com. IN A 184.108.40.206
taberna-no.mail.protection.outlook.com. IN A 220.127.116.11
(IP addresses vary based on global DNS load balancers).
So SNI would add a privacy leak channel to SMTP TLS. The same
leak presently exists for the DNS MX lookup, but that's
cached, so made less frequently, and may be at some point
in part addressed via DPRIV.