These posts will give you more hindsight: https://www.facebook.com/notes/protect-the-graph/massive-growth-in-smtp-starttls-deployment/1491049534468526/ https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223
On Thu, May 12, 2016 at 10:47 AM, <ml+mai...@esmtp.org> wrote: > On Thu, May 12, 2016, Jeffry Dwight wrote: > > > So, what do you all do? Right now, I'm verifying the cert and its chain, > but > > ignoring CN mismatches. That seems to be fine for ensuring encryption, > but > > Only log "problems" (why should I trust some CA?) unless explicitly > configured to check (for a few "important"/"known" hosts). > > > rather defeats the purpose of knowing we're connecting to the proper > server. > > DANE. > > > Second question: How do you handle self-signed certs? Do you just ignore > cases > > where the root isn't a trusted root? > > Same as above. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop