On Thu, May 12, 2016 at 1:24 PM, Jeffry Dwight <jeffry.dwi...@greyware.com> wrote:
> So, what do you all do? Right now, I'm verifying the cert and its chain, > but > ignoring CN mismatches. That seems to be fine for ensuring encryption, but > rather defeats the purpose of knowing we're connecting to the proper > server. > > Second question: How do you handle self-signed certs? Do you just ignore > cases > where the root isn't a trusted root? > Don't bother verifying the certificate host names. You've identified many issues already. Just use it for the opportunistic encryption unless you're dealing with a lot of high-risk mail like banks. From what I gather, they only do certificate checks on specified destinations (ie, other banks they know to have certificates set up correctly to match) and in those cases they fail if the cert does not match. For general consumer mail there is no way to do this.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop