Dear Viktor,
On 07/06/17 20:11, Viktor Dukhovni wrote:
On Thu, Jul 06, 2017 at 07:37:47PM +0200, Paul Menzel wrote:
There are several SMTP servers, where messages should only be sent over a
secure channel. But, the postmasters have set up the servers differently.
Some use CAs to sign their certificates and some DANE with self-signed
certificates.
To avoid maintaining two TLS policies, one where for
`smtp_tls_security_level` the value `secure` is specified, and another with
`dane-only` [1], and keeping an eye out, when SMTP switch to or from DANE,
is there a way to maintain one list? So if no DANE records are published, it
falls back to secure certificate verification?
Like `dane` falls back to `may`?
Wietse and I have discussed something along these lines some time
back, but nothing of that sort has as yet been implemented.
Would paying for the work speed up the implementation? If yes, who could
be contracted for that work?
Kind regards,
Paul
