On 2022-11-21 at 08:58:29 UTC-0500 (Mon, 21 Nov 2022 13:58:29 +0000)
Slavko via mailop <li...@slavino.sk>
is rumored to have said:
Dňa 21. novembra 2022 10:07:47 UTC používateľ Julian Bradfield via
mailop <mailop@mailop.org> napísal:
So my question is, if it is certificates (rather than ciphers - my
cipher suites are all gnutls default, so should be current), what do
I
need to do to get everybody to accept TLS ? Just make the certificate
match the machine name, or do I need to get letsencrypt certificates
for it? Do TLS clients follow CNAMEs to find the server hostname?
That
is, do I need a certificate with SANs for every name that might be
used to contact the machine, or just for the name it presents at SMTP
session start?
To make **everyone** happy with your certificate/TLS, you have to
ensure
all possible combinations:
+ valid certificate chain (for those requiring it)
+ valid SAN name (for those requiring it)
+ valid DANE TLSA record (for those requiring it)
+ valid MTA-STS settings (for those requiring it)
+ accept plain connections (for those doing fallback)
IMO nobody know how many servers require particular TLS settings,
FWIW, there are no discernible populations of mail servers or clients
requiring DANE or MTA-STS.
but AFAIK the number of these requiring at least some of that grows,
thus
providing valid certificate can be required minimum in near future.
Requiring a valid certificate for a particular name with a trust chain
going back to a trusted root is typically a MUA behavior, as MTAs which
do that will refuse to deliver a lot of mail.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
