Hi, Am Mo den 7. Apr 2025 um 11:02 schrieb Jaroslaw Rafa via mailop: [Automatisation of short term SSL-Cert replacement]
I am aware of scripts and tools to renew the certificates. But I refuse to let such tools change some security stuff like certificates. Letting them do that stuff I could likewise drop it completely. It is a complete bankruptcy. (I hope to use that word the right way.) I do not want to start a discussion about the foll of the current SSL infrastructure. It is broken by design and all that stuff like short running certificates or CAA makes it even worse. The only solution for that would be TLSA but browsers boycott that approach as it would render all that commercial CA needless. In context of mail we have DANE, which is basically TLSA. So fine for that area. > > I have a very accurate SPF. But I refuse to use any other than `-all` as > > without it, it would make SPF useless! I never ever want any other host > > to send mails in my name! > > I hope you are well aware of the consequences (eg. that this does break > forwarding) and accept them. I am. Currently there are some ways around that. As SPF is only caring about the envelope sender, it is enough to change that by the forwarding system. Another system is SRS. SPF without -all is technical useless. By the way, I did not mean DKIM changing the meaning but DMARK. DMARK does validate the From-header with SPF what is REALLY breaking forwards. > > > * Don't do sender callout verification to SMTP servers which aren't > > > yours. > > > > Why not? > > Because many receiving servers now consider this as malicious activity and > will put you on the blocklists if you do this. Until now it didn't but I will think about that. Thanks. Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
signature.asc
Description: PGP signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
