Curtis Villamizar:
> In message <[email protected]>
> Wietse Venema via Postfix-users writes:
>
> > Curtis Villamizar via Postfix-users:
> > > How feasible (or infeasible) is it today to configure manditory TLS
> > > encryption on a public facing server? Are there any stats on the
> > > percentage of mail servers that don't support TLS and the percentage
> > > of known large volume mail servers that don't support TLS (I suspect
> > > zero on the latter)?
> >
> > There are two levels of outbound TLS enforcement:
> >
> > - Unauthenticated TLS (just piss off the NSA etc.) - likely works.
>
> DANE with self signed is unauthenticated or authenticated?
DANE TLS is the only strongly authenticated TLS.
> > - Authenticated TLS (actual security) - not by a long shot.
>
> Is the CA authenticated? That would account for the comment "not by a
> long shot".
PKI is MEANINGLESS if you haven't SECURELY looked up the MX
host names, for that you need DNSSEC or STS (fig leaf).
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
