> You can of course use an LE cert, it does not do any obvious harm, > unless you also do DANE, and neither freeze the key, nor handle TLSA > updates correctly (in advance of cert deployment).
So I’m gathering (a) not much will be gained by using a public-A signed cert; and (b) the PROs of using DANE + self-signed likely (or actually) outweigh going with an LE cert sans DANE. > On Jul 27, 2020, at 1:52 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > On Mon, Jul 27, 2020 at 07:32:41PM +0000, Antonio Leding wrote: > >> I’ve always been dubious about the auth requirement by some (i.e. the >> brain deads to which you refer) to allow TLS connections for >> server-to-server communications. > > Without DANE or (weaker) MTA-STS, indeed X.509 authentication of SMTP MX > hosts is mere appearance of security. > >> In any event, people do what people do so I guess in order to ensure >> my server will employ the highest number of TLS sessions, I should use >> a CA-signed cert... > > That's not the conclusion I reached. My MTA uses a self-signed cert. > The domains that abort STARTTLS with untrusted certs are few and don't > send anything sensitive. > >> Agreed? > > You can of course use an LE cert, it does not do any obvious harm, > unless you also do DANE, and neither freeze the key, nor handle TLSA > updates correctly (in advance of cert deployment). > > -- > Viktor.
