Sahil Tandon a écrit : > Victor Duchovni wrote: > >> On Fri, Dec 26, 2008 at 08:25:12AM -0500, Sahil Tandon wrote: >> >>> sean darcy wrote: >>> >>>> Victor Duchovni wrote: >>>>> On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote: >>>>> >>>>>> smtp_use_tls = yes >>>>>> >>>>> This is obsolete. Set: >>>>> >>>>> smtp_tls_security_level = encrypt >>>>> >>>>> or better (given suitable CAfile or CApath): >>>>> >>>>> smtp_tls_security_level = secure >>>>> >>>> So where would you get the certificate to authenticate to google or >>>> 1and1. >>> The smtp (client), as opposed to the smtpd (server), does not need a >>> certificate to authenticate to google. >> Irrelevant, an SMTP client that wants to verify Google's augthenticity >> needs the root CA certificate of the CA that signed Google's cert. > > Agreed. My point is that a cert is *not* needed to authenticate to > Google's submission service. If, and only if, the client wants to > verify authenticity is the signing root's cert required. >
it's not required. but if you don't verify the cert, then you trust DNS. so a DNS attack (poisoning, ...) would make him send passwords to the wrong server. >> Yes the client does not need its own private keys and associated certs, >> but that is not the point. > > It is not the point and thus was not alleged. > > [...] >
