On 18/11/2011 10:00, Edward Martinez wrote: > On 11/18/11 00:12, Matthias Apitz wrote: >> STARTTLS=client, relay=smtp.1blu.de., version=TLSv1/SSLv3, verify=FAIL >> >> se below; what does the FAIL means exactly? >> > I have been reading on the subject and it appears you do not trust > the certificate > issuer for smtp.lblu.de.
Which is pretty much normal for SSL certs used for mail transfer. Most mail servers use a self-signed certificate, because the important point is not to verify the identity of the other party but to protect the messages in transit against snooping. All that requires is a secure means of agreeing a symmetric session key between both parties, and the TLS handshake is the best available way of doing that. Verifying SSL keys between MTAs is mostly useful only within one organisation where the keys can be issued from one central authority, or between a group of tightly integrated organisations. With the advent of DNSSEC and things like the DANE project (https://tools.ietf.org/html/draft-ietf-dane-protocol-12) that might change, but DNSSEC adoption is too patchy yet for it to be effective. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature