On Thu, Jul 06, 2017 at 07:37:47PM +0200, Paul Menzel wrote:
> There are several SMTP servers, where messages should only be sent over a
> secure channel. But, the postmasters have set up the servers differently.
> Some use CAs to sign their certificates and some DANE with self-signed
> certificates.
>
> To avoid maintaining two TLS policies, one where for
> `smtp_tls_security_level` the value `secure` is specified, and another with
> `dane-only` [1], and keeping an eye out, when SMTP switch to or from DANE,
> is there a way to maintain one list? So if no DANE records are published, it
> falls back to secure certificate verification?
>
> Like `dane` falls back to `may`?
Wietse and I have discussed something along these lines some time
back, but nothing of that sort has as yet been implemented.
--
Viktor.
