Hi,

Am Mo den  7. Apr 2025 um 11:02 schrieb Jaroslaw Rafa via mailop:
[Automatisation of short term SSL-Cert replacement]

I am aware of scripts and tools to renew the certificates. But I refuse
to let such tools change some security stuff like certificates. Letting
them do that stuff I could likewise drop it completely. It is a complete
bankruptcy. (I hope to use that word the right way.)

I do not want to start a discussion about the foll of the current SSL
infrastructure. It is broken by design and all that stuff like short
running certificates or CAA makes it even worse.

The only solution for that would be TLSA but browsers boycott that
approach as it would render all that commercial CA needless.

In context of mail we have DANE, which is basically TLSA. So fine for
that area.

> > I have a very accurate SPF. But I refuse to use any other than `-all` as
> > without it, it would make SPF useless! I never ever want any other host
> > to send mails in my name!
> 
> I hope you are well aware of the consequences (eg. that this does break
> forwarding) and accept them.

I am.

Currently there are some ways around that. As SPF is only caring about
the envelope sender, it is enough to change that by the forwarding
system. Another system is SRS.

SPF without -all is technical useless.

By the way, I did not mean DKIM changing the meaning but DMARK. DMARK
does validate the From-header with SPF what is REALLY breaking forwards.

> > >  * Don't do sender callout verification to SMTP servers which aren't
> > >    yours.
> > 
> > Why not?
> 
> Because many receiving servers now consider this as malicious activity and
> will put you on the blocklists if you do this.

Until now it didn't but I will think about that. Thanks.

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <kl...@ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

Attachment: signature.asc
Description: PGP signature

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Reply via email to