On Mon, Jul 27, 2020 at 07:32:41PM +0000, Antonio Leding wrote:
> I’ve always been dubious about the auth requirement by some (i.e. the
> brain deads to which you refer) to allow TLS connections for
> server-to-server communications.
Without DANE or (weaker) MTA-STS, indeed X.509 authentication of SMTP MX
hosts is mere appearance of security.
> In any event, people do what people do so I guess in order to ensure
> my server will employ the highest number of TLS sessions, I should use
> a CA-signed cert...
That's not the conclusion I reached. My MTA uses a self-signed cert.
The domains that abort STARTTLS with untrusted certs are few and don't
send anything sensitive.
> Agreed?
You can of course use an LE cert, it does not do any obvious harm,
unless you also do DANE, and neither freeze the key, nor handle TLSA
updates correctly (in advance of cert deployment).
--
Viktor.
