On Fri, Dec 27, 2013 at 02:54:55PM -0500, Patrick Patterson wrote: > Why does no-one else notice? Probably because you've got your > server set to actually validate TLS certs, as opposed to most of > the world that doesn't. :)
With SMTP, PKIX certificate verification is pointless without explicit per-destination configuration: http://vdukhovni.github.io/ietf/draft-ietf-dane-smtp-with-dane-05.html#rfc.section.1.2 This is why I am working to implement and standardize SMTP with DANE TLS. The OP has not explained whether the destination in question has been specifically selected for TLS authentication, or whether TLS authentication is attempted with all destinations that do STATTLS. Most businesses that do mandatory SMTP TLS for compliance reasons protect only against passive attacks (don't send in the clear). Configuration of pre-DANE authenticated SMTP TLS is too difficult. The OP might want to configure his MTA to only require TLS encryption when sending to the site in question, without authentication. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org