-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 2015-06-30 at 01:04 +0200, Michelle Sullivan wrote: > just get someone to setup a server as the destination hop, accept > encrypted email (DH=4096 for good measure) then forward plain text dnssec/dane-smtp closes that loophole. The receiver needs to care enough about closing that loophole to publish a dnssec secured tlsa record for _25._tcp.mx-target-name, and the sender needs to care enough about it to use that tlsa record to enforce a tls- only policy towards that mx target. And the sender must apply the constraints in that tlsa record to the X.509 certificate offered by the receiver. If the receiver wants *maximal* interoperability, they should not advertise STARTTLS, since there is always the possibility that the sender and receiver don't have any mutually compatible encryption algorithms. If the receiver advertises STARTTLS, but has only weak encryption (short DH key, SSLv3 only, etc), the rest of the world may decide not to deliver mail to them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlWR7V0ACgkQL6j7milTFsEqKwCfXPB0ezrf99jiOBTV0YyobE3t CrQAnjwqy7QXfLNbJI6/h4WLO1+2BOuq =ME0X -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop