On 2015/9/14 ζζδΈ 12:14, Viktor Dukhovni wrote:
That's clear now. You SHOULD enable STARTTLS on port 25, if you
haven't already. Consider publishing DANE TLSA records, but only
if you can do it right, nobody benefits from badly implemented TLSA
records. Consider enabling DANE for outbound mail, but be prepared
for occasional domains that misconfigure their TLSA records.
My hope is that some of the earlier adopters of outbound DANE
authentication will be very large providers that can "stand firm"
in the face of misconfigured receiving systems and place the burden
of resolving problems on the receiving side.
That way, instead of everyone else having to work-around breakage
on domains that can't get key rotation (etc.) right, broken TLSA
records and certificates are treated just like any other operational
failure that makes the remote party unreachable.
Some large German email providers have said they'll enable DANE
soon. I hope they'll refuse to make exceptions for broken remote
systems, and will expect such breakage to be fixed by the guilty
party.
Thanks a lot. You have made a great answer for email security.
BTW, do you know if there is a provider which has supported DANE well?
Yes we have contact with Germany providers like web.de/GMX/Freenet/Arcor
and smaller ones posteo.de/mailbox.org.
--
B. Regards,
Ken Peng - k...@cloud-china.org
