For the last couple of decades, I've been running Exim, using long-lived self-signed certificates for TLS, and since the last but one upgrade a couple of years ago, these certificates haven't even been for the right machine:)
Almost everybody seems happy to talk to me, including gmail and microsoft, so I've never worried about it. Every day I get a few "TLS fatal alert" messages in the log file, but either they're from attackers, or from real sites (e.g. mailgun.net) that then (presumably) fall back to unencrypted sessions, since mail is then sent through. However, yesterday I noticed a string of alerts from a bank that were not followed by mail delivery. So my question is, if it is certificates (rather than ciphers - my cipher suites are all gnutls default, so should be current), what do I need to do to get everybody to accept TLS ? Just make the certificate match the machine name, or do I need to get letsencrypt certificates for it? Do TLS clients follow CNAMEs to find the server hostname? That is, do I need a certificate with SANs for every name that might be used to contact the machine, or just for the name it presents at SMTP session start? Thanks for any advice! _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
