On Sun, Feb 8, 2015 at 3:09 PM, Sam Varshavchik <mr...@courier-mta.com>
wrote:
>
>>
> That's true only if properly-signed SSL certificates are used. Since too
> many small to medium sized organizations (rightfully) don't feel like
> paying for a valid certificate for their mail server, too many mail servers
> end up using self-signed certs to the point that CA checking is not done,
> by default.
>
> And even if everything is done by the book, the whole scheme can be
> subverted by compromising any CA, or getting a CA to cooperate with Big
> Brother, which is certainly within the realm of Big Brother.
>
DNSSEC makes that a bit more difficult.
One way to do this, at least for small hosts, is to combine DNSSEC with TLS
1.2 on by default in all communications, and if you must, add exceptions
for some MXes that you permit unencrypted communication with.
DNSSEC is already practical, and at my employer, about 55% of all domains
are DNSSEC-enabled, with a reasonable prospect of reaching about 90% by
summer.
--
Jan
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
