For opportunistic TLS, there is no difference between certificate signed by CA and self-signed certificate (or even unsigned), because cerificatate is usually not validated. Certificate validation is useless here, because opportunistic TLS falls back to cleartext anyway.
For DANE, again there is no difference, because certificate is pinned via DNS. For SMTP STS validation is important and you better provide whole certificate chain (except self-signed root CA) for compatibility. 13.09.2018 15:56, Christian пишет: > Hey, > > I was wondering what the best practice is regarding certificate chains > provided through SMTP. > > Should you present the entire certificate chain including the CA or > just the certificate and all intermediate certificates? > > As I understand it the CA has to be in the trust store of the other > party anyways since it makes no sense to trust all other certificates > if there is no trusted CA, even if the server provides it. If the > provided (or not provided) CA is not in the trust store it is as good > as a self-signed/unsigned certificate (chain), isn't it? > Even if this might be true, is it still best practice to provide the CA? > > Of course, the matter is different with DANE since you can argue a > "pinned" certificate is better than one signed by a CA. > > Can someone shed some light on how off I am on this topic? > > Thanks, > Christian > > PS: Do best practices differ from the those for HTTPS? > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop