I *think* the answer to this is that I am fine.
Last year I only used CA issued certificates.
This year, I am wanting to move to self-signed for SMTP and for
infrastructure domains that are not intended for the public where DANE
can validate. I am convinced DANE does a better job at validating a host
is who it says it is than CA certs do.
I just updated one of my mail servers to self-signed. The signed
certificate expires in few weeks so I can switch back if I did something
wrong.
https://ssl-tools.net/mailservers/deviant.email
That gives a red flag for Unknown Authority. Which being self-signed it
is, so I assume that red flag is meaningless?
I know most SMTP servers never bother with validating CA certificates, I
have personally found many that even have hostname mismatch yet other
SMTP servers still connect to them securely, so I think I am fine.
My other DANE enforcing mail servers did connect.
However is there a way to check that my self-signed cert "does things
right" as far as what *should* be in a SMTP self-signed cert?
