It appears that Bastian Blank via mailop <bbl...@thinkmo.de> said: >MTA-STS is supposed to fix that, by providing a secure way to translate >from domain to MX via a medium break. > >So is DANE, which requires DNSSEC on the whole thing and translates from >domain -> MX -> key via DNSSEC validated DNS.
I do both on my MTA and I can confirm that they work, since I found that when I screwed up the certificates, mail from places that check them, notably Comcast, stopped arriving. While I encourage people to try MTA-STS and DANE, they don't have anything to do with the TLS 1.0 question, since I'm still not seeing a plausible attack (and I emphasize plausible) that TLS 1.0 enables. R's, John _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
