Re: Quick DANE / self-signed question

2017-04-05 Thread Alice Wonder
Thank you! On 04/05/2017 08:28 PM, Viktor Dukhovni wrote: On Apr 5, 2017, at 10:33 PM, Alice Wonder wrote: I just updated one of my mail servers to self-signed. The signed certificate expires in few weeks so I can switch back if I did something wrong. https://ssl-tools.net/mailservers/devia

Re: Quick DANE / self-signed question

2017-04-05 Thread Viktor Dukhovni
> On Apr 5, 2017, at 10:33 PM, Alice Wonder wrote: > > I just updated one of my mail servers to self-signed. The signed certificate > expires in few weeks so I can switch back if I did something wrong. > > https://ssl-tools.net/mailservers/deviant.email > > That gives a red flag for Unknown Au

Re: Quick DANE / self-signed question

2017-04-05 Thread Alice Wonder
On 04/05/2017 07:33 PM, Alice Wonder wrote: I *think* the answer to this is that I am fine. Last year I only used CA issued certificates. This year, I am wanting to move to self-signed for SMTP and for infrastructure domains that are not intended for the public where DANE can validate. I am con

Quick DANE / self-signed question

2017-04-05 Thread Alice Wonder
I *think* the answer to this is that I am fine. Last year I only used CA issued certificates. This year, I am wanting to move to self-signed for SMTP and for infrastructure domains that are not intended for the public where DANE can validate. I am convinced DANE does a better job at validating

Re: problem with protection.outlook.com released spam getting bounced

2017-04-05 Thread Mike Guelfi
Assuming the header check works, I'd run that on a different instance of postfix and route the specific outside servers to that instance via the firewall... Quoting John Stoffel : Well, I've confirmed that EOP (protection.outloko.com, our external Spam filter provider) is adding in the "Del