Re: [mailop] self-signed cert for inbound TLS

2017-07-25 Thread Eric Tykwinski
> On Jul 25, 2017, at 7:46 PM, Brandon Long via mailop > wrote: > > Agreed that STS and DANE are the solution for enforcing, however it's still > early days for those. > > Brandon Sorry, probably straying from the topic, but does anyone know any good SMTP tests for

Re: [mailop] self-signed cert for inbound TLS

2017-07-25 Thread Brandon Long via mailop
On Tue, Jul 25, 2017 at 4:13 PM, Ted Cabeen wrote: > On 7/25/2017 8:14 AM, Vladimir Dubrovin via mailop wrote: > >> STARTTLS is opportunistic and doesn't protect against active >> Man-in-the-Middle. In case of TLS problems it falls back to plain text. >> > >

Re: [mailop] self-signed cert for inbound TLS

2017-07-25 Thread Ted Cabeen
On 7/25/2017 8:14 AM, Vladimir Dubrovin via mailop wrote: STARTTLS is opportunistic and doesn't protect against active Man-in-the-Middle. In case of TLS problems it falls back to plain text. Interestingly, that's not always the case now. We typoed the cert on one of our list servers earlier

Re: [mailop] Restricted email address UIDs for public email domains

2017-07-25 Thread Ken O'Driscoll
On common OS names, I have an ISP client who blocks Administrator@ (both in and out). They claim it reduces a whole load of problems with misconfigured Exchange / AD servers living on client LANs. Also make sure messages to abuse@ also feeds into your Abuse dept. as well as going to your client.

Re: [mailop] Restricted email address UIDs for public email domains

2017-07-25 Thread Brandon Long via mailop
Other things to consider are support/sales/ads or anything that contains your brand. Guess this depends on whether this is a set of domains that anyone can sign up for an address on, or whether they own the domain. Gmail also restricted all usernames that it's employees used and all popular

Re: [mailop] Restricted email address UIDs for public email domains

2017-07-25 Thread Michael Peddemors
On 17-07-25 09:59 AM, Kirk MacDonald wrote: In addition to what is mentioned in RFC2142, can anyone offer any resources (or "best practices") for what can be considered "restricted" email addresses/UIDs for a domain which offers mailbox service to the general public? This would also be

[mailop] Restricted email address UIDs for public email domains

2017-07-25 Thread Kirk MacDonald
In addition to what is mentioned in RFC2142, can anyone offer any resources (or "best practices") for what can be considered "restricted" email addresses/UIDs for a domain which offers mailbox service to the general public? This would also be assuming the "restricted" email addresses are

Re: [mailop] self-signed cert for inbound TLS

2017-07-25 Thread Vick Khera
I've not had any issues with self signed certs with TLS on SMTP. That said, lately I've been using Lets Encrypt certificates with the certbot program to manage them, and that has worked really well. The initial setup takes a little effort to do a DNS based verification since the mail hosts are not

Re: [mailop] self-signed cert for inbound TLS

2017-07-25 Thread Vladimir Dubrovin via mailop
STARTTLS is opportunistic and doesn't protect against active Man-in-the-Middle. In case of TLS problems it falls back to plain text. To protect against passive Man-in-the-Middle, there is no actual difference between the self-signed certificate and certificate from recognized CA, so, except may