martin f krafft:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> also sprach Wietse Venema <wie...@porcupine.org> [2017-09-17 21:51 +0200]:
> > I wonder, if this is used for 'internal' email traffic, why bother
> > with certificates that require frequent renewal? If the organization
> > is that large, I would expect that all external email is handled
> > by relay hosts on the perimeter, instead of allowing direct mail
> > from random 'internal' hosts.
>
> That's precisely what we're trying to do, except the perimeter is
> non-physical as the hosts are spread across the 'Net, and there's no
> consistent VPN, unfortunately.
>
> So yes, all external mail is handled by a defined set of relay hosts
> on the perimeter, but we need a sensible way to authorize access to
> those relay hosts. I'd prefer certificates over SASL passwords, and
> I think that the ease of using letsencrypt far outweighs the
> additional security we'd get in return for the effort required to
> manage our own PKI.
Why involve PKI when these hosts can't send direct mail to the
Internet, and have to send through your relays?
Wietse
