On Mon, 24 Feb 2014, li...@rhsoft.net wrote:
Seems Postfix still need to learn a lot about secure connections
seems you need to do so
in case of opportunistic there is not real trust
trusted in case of a secure connection means both sides know each
other - opportunistic means the other side neeeds only whatever
certificate by a "trusted" CA and is counted as "trusted"
you can discuss about logging details but hardly about "secure connections"
As said, the question is whether you want to reach 100% security or "more"
security. E.g. remembering last state and reacting to that information can
be dangerous (but so can be trusting the whole SSL certificate system).
But when you assume that systems aren't compromised from the very
beginning but only sometimes - keeping a table and remembering will help a
lot.
Sure, you may be the one who is trapped, but you aren't the only one on
the world - hopefully someone else will notice it and publish that
information. But when everything is "untrusted" then nobody will notice.
Exactly this was how the fake certs for Google and other web-pages have
been detected.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
