also sprach Wietse Venema <wie...@porcupine.org> [2017-09-17 21:51 +0200]: > I wonder, if this is used for 'internal' email traffic, why bother > with certificates that require frequent renewal? If the organization > is that large, I would expect that all external email is handled > by relay hosts on the perimeter, instead of allowing direct mail > from random 'internal' hosts.
That's precisely what we're trying to do, except the perimeter is non-physical as the hosts are spread across the 'Net, and there's no consistent VPN, unfortunately. So yes, all external mail is handled by a defined set of relay hosts on the perimeter, but we need a sensible way to authorize access to those relay hosts. I'd prefer certificates over SASL passwords, and I think that the ease of using letsencrypt far outweighs the additional security we'd get in return for the effort required to manage our own PKI. -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ in the beginning was the word, and the word was content-type: text/plain spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)