STARTTLS is opportunistic and doesn't protect against active Man-in-the-Middle. In case of TLS problems it falls back to plain text.
To protect against passive Man-in-the-Middle, there is no actual difference between the self-signed certificate and certificate from recognized CA, so, except may be very few unsignificant implementors, all peers accept self-signed certificates for STARTTLS (unless DANE or SMTP STS are used). 25.07.2017 17:51, Jonathan Leist пишет: > Hello, > > We're looking to implement inbound TLS on machines that are only used > to send mail and receive bounces, and I was wondering if anyone has > encountered problems using a self-signed cert for that purpose. It > seems like it would be easier to implement on a larger scale than > would CA-signed certs—and using the self-signed cert worked fine in > tests—but we also obviously don't want to do anything that would > prevent us from receiving bounces. > > Thanks for your time. > > -- > Jonathan > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
