On Fri, Sep 17, 2021 at 07:53:55PM +0200, Gerald Galster wrote:
> > I am curious why with opportunistic TLS (security level may), you're
> > bothering to take any action to tweak the entirely cosmetic certificate
> > path validation status?
>
> What about parsing the maillog and adding those trusted servers to a table
> in order to enforce a higher tls level for future requests?
Well, absent some explicit commitment by the receiving domain to
continue to present meaningul certificates from trusted CAs, it would be
quite wrong to "pin" previously observed features. The receiving domain
is free *at any time* to
* drop TLS support,
* limit TLS to particular highly trusted senders,
* switch to self-issued certificates
* use DNS names in the certificate that don't match what you expect
* ...
If the receiving domain wants to signal transport security policy, it
can use DANE, or perhaps its crippled half-sibling MTA-STS.
> Or just to be informed a previously trusted server cannot establish
> trusted connections anymore.
Sure, but the forensic value of the signal is rather weak, since you
learn nothing about the names in the certificate, and anyone can get
a certificate from Let's Encrypt. So your connection was to some
server that had some certificate, ... now what?
--
Viktor.
