SNI like equivalent for starttls

Solution 1:

no, SMTP is designed to have the entire email communication path traced in the email and each connection would terminate and relay the email, you should use transport maps (for postfix) to control the destination by email address not MTA hostname.

If you are receiving email for both domains locally then your email server should handle that, if this single IP is forwarding email to two other servers internally, then transport maps are what you are looking for in terms of a postfix server.

If this is an outbound server relay (SMTPS), you would need to handle authentication for both domains at this server as you cannot "proxy" like you do with nginx/haproxy and SNI.

Solution 2:

According to the documentation, Postfix sends SNI information in the TLS handshake after STARTTLS command, at least in the case where TLSA records are published in DNS:

When usable TLSA records are obtained for the remote SMTP server the Postfix SMTP client sends the SNI TLS extension in its SSL client hello message. This may help the remote SMTP server live up to its promise to provide a certificate that matches its TLSA records.

I'm not sure if this is sufficient, but it suggests that SNI can and should be used with STARTTLS; if some senders are not doing this, I would consider them broken.

Further, this IETF draft specifies that SNI shall be used:

The client uses the DNSSEC validation status of the SRV query in its server certificate identity checks. (The TLSA validation status does not affect the server certificate identity checks.) It SHALL use the Server Name Indication extension (TLS SNI) or its functional equivalent in the relevant application protocol...

Solution 3:

You don't need SNI for this. Most MTAs support routing based on domain. For example postfix has a transport map. You'd make a map something like:

foo.com     smtp:[mail.foo.com]
bar.com     smtp:[mail.bar.com]