Hi Viktor, > On Fri, Nov 07, 2014 at 07:48:02PM +0100, Bernhard Schmidt wrote: > >>> DANE does not apply to unsigned domains, even though the MX host >>> might have TLSA RRs. >> >> Ah right, thanks for pointing that out. Should I be concerned that >> sometimes anonymous TLS is chosen? > > No. It was my design choice to make Postfix prefer to use anonymous > cipher suites when certificates are ignored anyway. One way to > know that the SMTP server is likely running Postfix is notice that > it agrees to an anonymous ciphers suite with your Postfix SMTP > client. > > With the future TLS policy interface Wietse hinted at, in common > configurations, we may negotiate the use of certificates more often, > and log success when they happen to verify, even if such verification > is not mandatory. For now, anonymous is the expected outcome with > opportunistic TLS when the other end also supports it.
Thanks. If I may add a wish, I think it would be great if Postfix logged something about the certificate presented by the other side (i.e. the fingerprint) even on an Untrusted TLS connection. You can't use that information for policy, but it might to detect hat you were talking to another server in between. Bernhard
