On Thu, Dec 18, 2025 at 09:27:26AM +0100, Ralf Hildebrandt via mailop wrote:
> > With a different ECC root CA you might find a more broadly accepted
> > root, in case that's the issue for mimecast.
>
> Not really. I rather think the whole issue is due to their customers
> setting for mandatory SSL, and they simply forgot (?) the ECC cert...
Well, it is charite.de's MTA-STS policy that makes for "mandatory SSL",
perhaps you're saying that mimecast should not have supported MTA-STS
wihtout first making sure that that their trust store has *all* the
usual CAs (whatever that means).
Of course the fact that the set of CAs one needs to trust to be able
to enable MTA-STS is not well defined is one of the ways in which
MTA-STS is a flawed design.
Of course charite.de could drop the MTA-STS policy and perhaps consider
DANE instead.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
