> On Jan 22, 2018, at 2:43 AM, DTNX Postmaster <postmas...@dtnx.net> wrote:
>
>> A "real" certificate is useful if you have customers connecting to
>> your server as a submission service. While self-signed certs work
>> fine for that purpose too, sometimes it's easier to avoid talking
>> folks into how to import your self-signed cert.
>
> Sadly, there are folks who think that a certificate they cannot verify
> all the way up to a trusted root means that they should fall back to
> plain text. Mailgun is an example of this, and they are quite widely
> used despite this and several other problems.
My view is that if mailgun chooses to shoot itself in the foot and
considers sending in the clear more secure than unauthenticated TLS
then so be it, their problem, not mine...
Have you seen any traffic via mailgun that warrants protection from
passive monitoring?
It would be great to compile a list of systems that are broken in
this manner, and shame them all (politely) in a suitable public
forum.
Some senders still don't support TLS at all, even with a CA/B forum
CA (WebPKI) certificate on the receiving end.
--
Viktor.
