Am 07.11.2014 um 10:03 schrieb Michael Ströder:
lst_ho...@kwsoft.de wrote
Zitat von Michael Ströder <mich...@stroeder.com>:
Peter wrote:
It's pointless for MX hosts because they don't validate the certificate
anyways.
Which has to be changed.
http://www.postfix.org/TLS_README.html#client_tls_dane
But it needs securely operated DNSSEC
so what - there is no other way and *no*
https://tools.ietf.org/html/draft-melnikov-email-tls-certs can't change
that fact
since you can't change all mail setups on that planet you need to
support opportunistic TLS anyways *but* with DANE you have a way to
verify that you are talking to the wrong server by the certificate
