> On 10 Jan 2022, at 10:07 pm, Joachim Lindenberg
> <postfix-us...@lindenberg.one> wrote:
>
> thanks for the insights. Based on my experience, the mail domain is almost
> never in the SANs of a certificate, not even with self-hosted domains like
> mine. In other words, secure is likely to cause a lot more manual
> configuration than verify.
> I´d definitely appreciate if mail.cloud9.net could update their configuration
> as then I could get rid of some exceptions, and others would not have to
> think about it when moving forward w.r.t. security.
Unless they also implement DNSSEC+DANE, there is no security advantage
to an "authenticated" connection to an insecurely obtained name.
Both "encrypt" and "verify" resist passive monitoring, and both are
vulnerable to active (MiTM) attacks. So I don't think there's much
point in security theatre around "veriable" certificates for unverified
names.
--
Viktor.
