Hi Viktor, Am 07.11.2014 um 15:39 schrieb Viktor Dukhovni: > On Fri, Nov 07, 2014 at 02:04:27PM +0100, Bernhard Schmidt wrote: > >> However, sometimes mx2.bund.de negotiates an Anonymous TLS connection >> and the mail gets delivered >> >> Nov 7 11:04:39 lxmhs52 postfix-postout/smtp[18391]: Anonymous TLS >> connection established to mx2.bund.de[77.87.224.131]:25: TLSv1.2 with >> cipher AECDH-AES256-SHA (256/256 bits) >> Nov 7 11:04:39 lxmhs52 postfix-postout/smtp[18391]: 3jYxzC541LzyYf: >> to=<[email protected]>, relay=mx2.bund.de[77.87.224.131]:25, delay=0.32, >> delays=0.05/0/0.16/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as >> E353315D45B) > > Pay close attention to the recipient domain. While bund.de is DNSSEC > signed, ble.de is not. > >> - Why are Untrusted TLS connections dropped, but the arguably even >> weaker Anonymous TLS connections accepted? > > DANE does not apply to unsigned domains, even though the MX host > might have TLSA RRs.
Ah right, thanks for pointing that out. Should I be concerned that sometimes anonymous TLS is chosen? Bernhard
