Hello Bill, you could as well just turn off encryption. If you don´t care to whom you disclose information, why not allow anyone to read it? Are you also not using a trusted certificate or even no certificate for your public web site? Seriously, I know this is discussion 10+ years. Is it better to encrypt communication to a communication partner without authentication or not? Since authentication today is easy, I think (or hope) that discussion is irrelevant...
All, do we agree, that Email authentication requires two steps... * DNSSEC * trustworthy certificates (either truested root or DANE) and validation ... unless we want to resort to manually configuring trust (obviously entries in /etc/hosts are less likely to be manipulated by an attacker)? And the dependency on DNSSEC is because of the indirection caused by MX, as otherwise - like in https - we can just validate the certificate against the user specified domain. Moreover with Email we cannot assume a user to make the decision as in a browser certificate validation failure use case. Thanks, Joachim -----Ursprüngliche Nachricht----- Von: [email protected] <[email protected]> Im Auftrag von Bill Cole Gesendet: Monday, 10 January 2022 01:29 An: Postfix users <[email protected]> Betreff: Re: TLS enforcement options? On 2022-01-09 at 19:08:56 UTC-0500 (Sun, 9 Jan 2022 19:08:56 -0500) Brett Dikeman <[email protected]> is rumored to have said: > The effort of setting up LetsEncrypt is offset by the long-term > benefit of automatically updated certificates, IMHO. It's even easier to automate self-signed certificate regeneration. Anyone who uses self-signed certificates can just drop the command to generate a self-signed certificate into a cron job. -- Bill Cole [email protected] or [email protected] (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
