What's DMARK? I've only heard of RFC 7489 ;) > On Apr 7, 2025, at 9:05 PM, Klaus Ethgen via mailop <mailop@mailop.org> wrote: > > Hi, > > Am Mo den 7. Apr 2025 um 11:02 schrieb Jaroslaw Rafa via mailop: > [Automatisation of short term SSL-Cert replacement] > > I am aware of scripts and tools to renew the certificates. But I refuse > to let such tools change some security stuff like certificates. Letting > them do that stuff I could likewise drop it completely. It is a complete > bankruptcy. (I hope to use that word the right way.) > > I do not want to start a discussion about the foll of the current SSL > infrastructure. It is broken by design and all that stuff like short > running certificates or CAA makes it even worse. > > The only solution for that would be TLSA but browsers boycott that > approach as it would render all that commercial CA needless. > > In context of mail we have DANE, which is basically TLSA. So fine for > that area. > >>> I have a very accurate SPF. But I refuse to use any other than `-all` as >>> without it, it would make SPF useless! I never ever want any other host >>> to send mails in my name! >> >> I hope you are well aware of the consequences (eg. that this does break >> forwarding) and accept them. > > I am. > > Currently there are some ways around that. As SPF is only caring about > the envelope sender, it is enough to change that by the forwarding > system. Another system is SRS. > > SPF without -all is technical useless. > > By the way, I did not mean DKIM changing the meaning but DMARK. DMARK > does validate the From-header with SPF what is REALLY breaking forwards. > >>>> * Don't do sender callout verification to SMTP servers which aren't >>>> yours. >>> >>> Why not? >> >> Because many receiving servers now consider this as malicious activity and >> will put you on the blocklists if you do this. > > Until now it didn't but I will think about that. Thanks. > > Regards > Klaus > -- > Klaus Ethgen http://www.ethgen.ch/ > pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> > Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > <signature.asc>
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
