On 2022-08-22 14:30, Viktor Dukhovni wrote:
Correct, because there's no point. Mail would be sent whether the
certificate is trusted or not, and whether or not the DNS-ID matches
expectations.
Setting up a TLS policy for each domain that's hosted by Microsoft is
unrealistic, and they don't yet support DANE (but this is planned).
ok thanks!
I looked into DANE yesterday had never heard of it before that I can
recall anyway, and it appeared to need DNSSEC, which isn't something
I've had an interest to deploy. I read what appeared to be a really
good blog post on DNSSEC a few years ago that really ripped it apart
(https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Can't
vouch for accuracy but the person seemed like they knew what they
were talking about. That was of course 7 years ago so maybe things
have changed since.
nate
