On Mon, Apr 07, 2025 at 09:59:58PM +0200, Faisal Misle via mailop wrote: > What's DMARK? I've only heard of RFC 7489 ;)
Hmph. Domänen-basiert Mitteilungs-Authentifizierung, Reportage und Konformanz. Natürlich. > > > On Apr 7, 2025, at 9:05 PM, Klaus Ethgen via mailop <mailop@mailop.org> > > wrote: > > > > Hi, > > > > Am Mo den 7. Apr 2025 um 11:02 schrieb Jaroslaw Rafa via mailop: > > [Automatisation of short term SSL-Cert replacement] > > > > I am aware of scripts and tools to renew the certificates. But I refuse > > to let such tools change some security stuff like certificates. Letting > > them do that stuff I could likewise drop it completely. It is a complete > > bankruptcy. (I hope to use that word the right way.) > > > > I do not want to start a discussion about the foll of the current SSL > > infrastructure. It is broken by design and all that stuff like short > > running certificates or CAA makes it even worse. > > > > The only solution for that would be TLSA but browsers boycott that > > approach as it would render all that commercial CA needless. > > > > In context of mail we have DANE, which is basically TLSA. So fine for > > that area. > > > >>> I have a very accurate SPF. But I refuse to use any other than `-all` as > >>> without it, it would make SPF useless! I never ever want any other host > >>> to send mails in my name! > >> > >> I hope you are well aware of the consequences (eg. that this does break > >> forwarding) and accept them. > > > > I am. > > > > Currently there are some ways around that. As SPF is only caring about > > the envelope sender, it is enough to change that by the forwarding > > system. Another system is SRS. > > > > SPF without -all is technical useless. > > > > By the way, I did not mean DKIM changing the meaning but DMARK. DMARK > > does validate the From-header with SPF what is REALLY breaking forwards. > > > >>>> * Don't do sender callout verification to SMTP servers which aren't > >>>> yours. > >>> > >>> Why not? > >> > >> Because many receiving servers now consider this as malicious activity and > >> will put you on the blocklists if you do this. > > > > Until now it didn't but I will think about that. Thanks. > > > > Regards > > Klaus > > -- > > Klaus Ethgen http://www.ethgen.ch/ > > pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> > > Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > <signature.asc> > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
