[Snip]
> PS, on the subject of ESP's.. what is the deal with so many bad 
> certificates from ESP's..

        I've seen plenty of problems with TLS encryption failures due to 
expired certificates, non-matching SNI / wrong certificates, etc., 
and I suspect a few problems may be a play for many of them...

        Automation is usually focused on keeping free certificates (like 
Let's Encrypt's, which has a 90-day cycle) updated on web server 
daemons, but very rarely for other daemons, and so I suspect that 
it's likely an oversight since eMail system configurations tend to 
require less maintenance than web server configurations (which often 
host custom programming).

        Also, many mail server daemons will still deliver to SMTP hosts with 
expired certificates, so users often don't notice when there's a 
problem with TLS, unless their eMail client applications report 
certificate problems when receiving or sending eMail ... or users 
don't bother to report anything to their technical support since 
choosing "Accept the Risks" has become a common part of modern 
computing (even some "Cookie usage" notices present as security 
notices, which also contributes to users habitually ignoring warnings 
due to "security risk" notices being commonplace).

        Postmasters should be checking regualrly on the state of the TLS 
certificates that their mail systems use, and ensuring renewals occur 
early enough, that the correct TLS versions are supported/dropped as 
the security industry changes, etc., which fits well into the DNS 
zone updates for rolling DKIM keys, DNS traffic encryption, etc.

-- 
Postmaster - [email protected]
Randolf Richardson, CNA - [email protected]
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to