These posts will give you more hindsight:
https://www.facebook.com/notes/protect-the-graph/massive-growth-in-smtp-starttls-deployment/1491049534468526/
https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223

On Thu, May 12, 2016 at 10:47 AM, <ml+mai...@esmtp.org> wrote:

> On Thu, May 12, 2016, Jeffry Dwight wrote:
>
> > So, what do you all do? Right now, I'm verifying the cert and its chain,
> but
> > ignoring CN mismatches. That seems to be fine for ensuring encryption,
> but
>
> Only log "problems" (why should I trust some CA?) unless explicitly
> configured to check (for a few "important"/"known" hosts).
>
> > rather defeats the purpose of knowing we're connecting to the proper
> server.
>
> DANE.
>
> > Second question: How do you handle self-signed certs? Do you just ignore
> cases
> > where the root isn't a trusted root?
>
> Same as above.
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to