On 07/25/2017 09:14 AM, Vladimir Dubrovin via mailop wrote:
STARTTLS is opportunistic and doesn't protect against active Man-in-the-Middle. In case of TLS problems it falls back to plain text.
STARTTLS is opportunistic, but MTAs can be configured to require protected channels and to refuse email over unprotected channels.
SMTPS (now defunct?) avoids this, but is (was?) non-standard.
To protect against passive Man-in-the-Middle, there is no actual difference between the self-signed certificate and certificate from recognized CA, so, except may be very few unsignificant implementors, all peers accept self-signed certificates for STARTTLS (unless DANE or SMTP STS are used).
I agree that this matches historical norms. I suspect that DANE and / or SMTP STS are going to be changing this.
I have also had problems with some MTAs (at least Thunderbird) complaining if the STARTTLS cert doesn't match the hostname it connects to. (SAN is sufficient.) - Though I don't know that this applies to your use case.
Also, why not send bounces back to a different server and avoid needing to expose SMTP to the world?
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
