On 10/20/2011 8:40 AM, Jan-Frode Myklebust wrote: > I'm considering if I should enable opportunistic TLS on our smtp > gateways.
Good idea. Opportunistic TLS is good for preventing eavesdropping. > Our gateways are known by several DNS names, so I think it > will be difficult to use certificates signed by a "reputable" CA. Opportunistic TLS is about encryption, not authentication. The name used -- especially with a self-signed cert -- doesn't matter very much. At any rate, it's usually a mistake to use multiple names for an MX. There is no requirement nor (technical) expectation that an MX will use the same domain as the recipient. > do other mailservers behave if we enable smtpd_tls_security_level=may > and offer self signed certs with possibly wrong name compared to what > the MX-records are pointing to ? Should be fine. -- Noel Jones
