Hello Bill, you could as well just turn off encryption. If you don´t care to whom you disclose information, why not allow anyone to read it? Are you also not using a trusted certificate or even no certificate for your public web site? Seriously, I know this is discussion 10+ years. Is it better to encrypt communication to a communication partner without authentication or not? Since authentication today is easy, I think (or hope) that discussion is irrelevant...
All, do we agree, that Email authentication requires two steps... * DNSSEC * trustworthy certificates (either truested root or DANE) and validation ... unless we want to resort to manually configuring trust (obviously entries in /etc/hosts are less likely to be manipulated by an attacker)? And the dependency on DNSSEC is because of the indirection caused by MX, as otherwise - like in https - we can just validate the certificate against the user specified domain. Moreover with Email we cannot assume a user to make the decision as in a browser certificate validation failure use case. Thanks, Joachim -----Ursprüngliche Nachricht----- Von: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> Im Auftrag von Bill Cole Gesendet: Monday, 10 January 2022 01:29 An: Postfix users <postfix-users@postfix.org> Betreff: Re: TLS enforcement options? On 2022-01-09 at 19:08:56 UTC-0500 (Sun, 9 Jan 2022 19:08:56 -0500) Brett Dikeman <brett.dike...@gmail.com> is rumored to have said: > The effort of setting up LetsEncrypt is offset by the long-term > benefit of automatically updated certificates, IMHO. It's even easier to automate self-signed certificate regeneration. Anyone who uses self-signed certificates can just drop the command to generate a self-signed certificate into a cron job. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
