In article <1f146c09-fe97-bd15-a4d4-a3e8b1c4b...@kooky.org> you write: >On 08/01/2021 20:07, Joel M Snyder via mailop wrote: >> And even if there were some HSTS-like way to bind certificates to >> destination domain names, the lack of an interactive moment for the user >> to say "yes" or "no" to a questionable certificate makes it even worse. > >So you don't rate the combo of DANE + DNSSEC + MTA-STS ?
They are quite widely deployed on large mail systems and they work fine. I learned the hard way, messed up one of my TLSA certs and Comcast stopped talking to me (as they should) until I fixed it. It is not a bug or flaw that mail systems do not ask users to confirm certificates for mail deliveries because users have no idea what hosts or certficates to expect. For example, if you send mail to u...@computer.org (a real address) the MX is aspmx.l.google.com and its certificate matches DNS:mx.google.com, DNS:alt1.aspmx.l.google.com, DNS:alt1.gmail-smtp-in.l.google.com, DNS:alt1.gmr-smtp-in.l.google.com, DNS:alt2.aspmx.l.google.com, DNS:alt2.gmail-smtp-in.l.google.com, DNS:alt2.gmr-smtp-in.l.google.com, DNS:alt3.aspmx.l.google.com, DNS:alt3.gmail-smtp-in.l.google.com, DNS:alt3.gmr-smtp-in.l.google.com, DNS:alt4.aspmx.l.google.com, DNS:alt4.gmail-smtp-in.l.google.com, DNS:alt4.gmr-smtp-in.l.google.com, DNS:aspmx.l.google.com, DNS:aspmx2.googlemail.com, DNS:aspmx3.googlemail.com, DNS:aspmx4.googlemail.com, DNS:aspmx5.googlemail.com, DNS:gmail-smtp-in.l.google.com, DNS:gmr-mx.google.com, DNS:gmr-smtp-in.l.google.com, DNS:mx1.smtp.goog, DNS:mx2.smtp.goog, DNS:mx3.smtp.goog, DNS:mx4.smtp.goog, DNS:smtp.google.com What actually happens on certificate validation failures is that the mail delivery soft fails and if an admin is so inclined she can later look at the logs and check for problems. R's, John _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
