On 2022/11/21 10:07, Julian Bradfield via mailop wrote: > So my question is, if it is certificates (rather than ciphers - my > cipher suites are all gnutls default, so should be current), what do I
The type of alert should indicate ahether it's ciphers or certs. > need to do to get everybody to accept TLS ? Just make the certificate > match the machine name, or do I need to get letsencrypt certificates In the absence if MTA-STS most senders will use an unvalidated cert on the basis that encryption is usually better than no encryption, though obviously this doesn't do anything to guard against MITM. Any checks beyond this are going to depend on how the relevant sending host is configured, so it's not really possible to give general advice. > for it? Do TLS clients follow CNAMEs to find the server hostname? That > is, do I need a certificate with SANs for every name that might be > used to contact the machine, or just for the name it presents at SMTP > session start? They don't follow CNAMEs. So if you have a bunch of domains with say "example.com MX 0 mail.example.com" and an A record for mail.example.com, if you can do so it's probably more straightforward to change them to "MX 0 mail.someprovider.example" and cut down on the number of SANs (each of which will need to be verified by the cert issuer..) (If you do get CA-signed certs, don't forget to configure your servers to present the intermediate aka chain cert to clients as well, that's probably the most common thing which causes validation problems). _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
