for incoming smtp deliveries with starttls, use cert of hostname if sni hostname is unknown

instead of failing the connection because no certificates are available.

this may improve interoperability. perhaps the remote smtp client that's doing
the delivery will decide they do like the tls cert for our (mx) hostname after
all.

this only applies to incoming smtp deliveries. for other tls connections
(https, imaps/submissions and imap/submission with starttls) we still cause
connections for unknown sni hostnames to fail. if case no sni was present, we
were already falling back to a cert for the (listener/mx) hostname, that
behaviour hasn't changed.

for issue #206 by RobSlgm

smtpserver/server.go

@@ -190,9 +190,13 @@ func Listen() {
 	for _, name := range names {
 		listener := mox.Conf.Static.Listeners[name]
 
-		var tlsConfig *tls.Config
+		var tlsConfig, tlsConfigDelivery *tls.Config
 		if listener.TLS != nil {
 			tlsConfig = listener.TLS.Config
+			// For SMTP delivery, if we get a TLS handshake for an SNI hostname that we don't
+			// allow, we'll fallback to a certificate for the listener hostname instead of
+			// causing the connection to fail. May improve interoperability.
+			tlsConfigDelivery = listener.TLS.ConfigFallback
 		}
 
 		maxMsgSize := listener.SMTPMaxMessageSize
@@ -208,7 +212,7 @@ func Listen() {
 			port := config.Port(listener.SMTP.Port, 25)
 			for _, ip := range listener.IPs {
 				firstTimeSenderDelay := durationDefault(listener.SMTP.FirstTimeSenderDelay, firstTimeSenderDelayDefault)
-				listen1("smtp", name, ip, port, hostname, tlsConfig, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay)
+				listen1("smtp", name, ip, port, hostname, tlsConfigDelivery, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay)
 			}
 		}
 		if listener.Submission.Enabled {