On Tue, Jul 25, 2017 at 09:59:43AM +0200, post...@xmas.de wrote:
> I only have the MX and have to ensure that the transport is encrypted.
Well. If the remote system announces STARTTLS, it will be used. So you
ensured to use encryption if the remote system tells you it works.
> I understand that DNSSEC/DANE is the best way to do it.
> But unfortunately, DNSSEC is still not common.
You need one piece of securely transmitted information, either the
domains or via secured DNS the public key information of the remote.
> I think it would be worth to encrypt despite DNS is spoofable.
As said, postfix will already encrypt things, if the remote is capable
of it.
Bastian
--
If I can have honesty, it's easier to overlook mistakes.
-- Kirk, "Space Seed", stardate 3141.9
