On Tue, Aug 23, 2022 at 09:21:33AM -0700, nate wrote:
> On 2022-08-22 14:46, Viktor Dukhovni wrote:
>
> [..]
>
> > You don't need to sign your own domain in order to secure outbound
> > traffic
> > to domains that others have signed. You just need a local validating
> > resolver such as "unbou
On 2022-08-22 14:46, Viktor Dukhovni wrote:
[..]
You don't need to sign your own domain in order to secure outbound
traffic
to domains that others have signed. You just need a local validating
resolver such as "unbound", with DNSSEC validation turned on.
Ok, yeah I was thinking more of DANE
On Tue, Aug 23, 2022 at 01:13:56AM -0400, Demi Marie Obenour wrote:
> You should definitely deploy DNSSEC, but only after you are able to
> deploy it properly. That means having procedures to avoid nasty DNSSEC-
> related downtime.
That's needlessly scary and non-specific. Rather, it means, tha
On 8/22/22 17:38, nate wrote:
> On 2022-08-22 14:30, Viktor Dukhovni wrote:
>
>> Correct, because there's no point. Mail would be sent whether the
>> certificate is trusted or not, and whether or not the DNS-ID matches
>> expectations.
>>
>> Setting up a TLS policy for each domain that's hosted b
On Mon, Aug 22, 2022 at 02:38:20PM -0700, nate wrote:
> On 2022-08-22 14:30, Viktor Dukhovni wrote:
>
> > Correct, because there's no point. Mail would be sent whether the
> > certificate is trusted or not, and whether or not the DNS-ID matches
> > expectations.
> >
> > Setting up a TLS policy
On 2022-08-22 14:30, Viktor Dukhovni wrote:
Correct, because there's no point. Mail would be sent whether the
certificate is trusted or not, and whether or not the DNS-ID matches
expectations.
Setting up a TLS policy for each domain that's hosted by Microsoft is
unrealistic, and they don't yet
On Mon, Aug 22, 2022 at 02:09:26PM -0700, nate wrote:
> postfix/smtp[7329]: Untrusted TLS connection established to
> example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> I assume it says Untrusted because Postfix do
