On Fri, Nov 07, 2014 at 07:48:02PM +0100, Bernhard Schmidt wrote:
> > DANE does not apply to unsigned domains, even though the MX host
> > might have TLSA RRs.
>
> Ah right, thanks for pointing that out. Should I be concerned that
> sometimes anonymous TLS is chosen?
No. It was my design choice to make Postfix prefer to use anonymous
cipher suites when certificates are ignored anyway. One way to
know that the SMTP server is likely running Postfix is notice that
it agrees to an anonymous ciphers suite with your Postfix SMTP
client.
With the future TLS policy interface Wietse hinted at, in common
configurations, we may negotiate the use of certificates more often,
and log success when they happen to verify, even if such verification
is not mandatory. For now, anonymous is the expected outcome with
opportunistic TLS when the other end also supports it.
--
Viktor.
