* Wietse Venema <wie...@porcupine.org>: > Viktor Dukhovni: > > Which works just fine with a single certificate, because TLS in > > SMTP in generally unauthenticated. If all the various domains > > share the same MX hostnames, many implementations that log > > "speculative" authentication results (no actual enforcement, just > > logging that a given session happened to appear to not be MiTMed) > > will match the MX host against the shared certificate. > > I'd like to hear a bit more on this from other people than Viktor. > There is a difference between "technically perfect" (e.g., telling > everyone to adopt DNSSSEC and DANE or else don't bother), and what > is "currently justifiable".
This isn't exactly what you asked for, but: For us, there is very little interest from our customers when it comes to securing the transport side of mail exchange. Most B2C customers don't care (and probably most don't know). When it comes to our B2B customers (we have several "white label" units and do provide application services), we mostly encounter these scenarios: 1. Partner/ASP customer doesn't care (~78%) 2. Partner/ASP customer cares about secure mail transport and we setup a VPN connection with them (~12%). 3. Partner/ASP customer cares about secure mail transport and both parties agree to enforce STARTTLS, but don't verify certificates (<10%). 4. Partner/ASP customer cares about secure mail transport and both parties agree to enforce STARTTLS and verify certificates (1 case so far) or certificate fingerprints (2 cases so far). We don't have a single partner/ASP customer who has implemented DNSSEC (and incidentally, none have implemented IPv6 so far), neither on their resolvers nor on their authoritative servers. Adopting new ciphers seems to be a very slow process, with more than 60% of all incoming/outgoing connections still relying on RC4/MD5. Changes to a partner's/ASP customer's mail infrastructure are often very painful, because we encounter a lot of commercial security products with badly implemented cryptography, which often force the addition of manual TLS policy map entries (surprisingly, VPN devices seem to be a lot more resilient/mature when it comes to interoperability). Futher ancedotal evidence: Only about 40% of our partners/ASP customers are prepared to deal with encrypted mail (PGP/SMIME). I know the latter doesn't have anything to do with transport security, but I wanted to mention it to further show that email security is not something that gets emphasized a lot in our business (we are a mid-sized financial services provider, ~1.1k employees). Stefan
