In the case of STARTTLS failure SMTP falls back to cleartext (unless DANE or SMTP STS is used to indicate STARTTLS is required). Encryption with invalid certificate in this case is better than no encryption.
Jeffry Dwight пишет: > Thanks for all the replies. > > Is it even worth checking the cert chain at all? > > Right now, I've taken your advice and am ignoring the following errors: > > Untrusted CA > Untrusted Root > Untrusted Test Root > CN Name Mismatch > Cert Expired > > This leave only revocation, invalid cert use, and miscellaneous unlikely > errors > to encounter after a successful handshake (not much). > > Probably revocation is important, but log-diving shows a lot of self-signed > and > expired certs used by legit MTA recipients. I can't figure out how to tell the > difference between a "real" untrusted root and a cert issued by some admin's > personal CA. > > Jeffry > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
