>>> Sure, but the forensic value of the signal is rather weak, since you >>> learn nothing about the names in the certificate, and anyone can get >>> a certificate from Let's Encrypt. So your connection was to some >>> server that had some certificate, ... now what? >> >> You'll get the information that a valid, CA-issued certificate was >> used and you can extract the relay from the maillog. > > Yes, but at security level "may" the relay name need not have been any > of the names in the certificate. At this TLS security level, the > Postfix SMTP client neither knows which name to expect to find, nor > goes to the trouble of looking to see which names if any are present. > > So a "Trusted" certificate tells you exceedingly little.
True, but it may be interpreted as a weak hint that a higher security level could be possible. >> I'd guess for real mailservers that certificate would verify with the >> mx/relay servername, which could be enforced and monitored. My guess was that for real mailservers there are chances the relay name would also work with security level "verify", although a trusted certificate in security level "may" is just a weak indicator for that. Best regards Gerald
