On Fri, Apr 08, 2016 at 19:06:16 +0000, Viktor Dukhovni wrote: > > I don't understand this: why would the STS client do a policy lookup not > > on the recipient address? I understand that you can have a different > > nexthop specified in your transport map, but why look that up instead of > > the recipient address domain? > > Because STS is *transport* policy. Not end-to-end policy. Given > that you expected otherwise, this definitely needs to be explained. > > Just because email is ultimately going to say Gmail, if my nexthop > relay is some corporate outbound smarthost, the relevant STS policy > is for that relay, not the destination domain.
OK, got it. But this is going to work only for nexthops / relays specified as a mail domain (and not as hosts), right? I am not so sure about the usefulness of this, though. I mean: in case you are modifying the routing for a mail domain, I would have thought that you also need to disable the STS check (like you need to disable certificate pinning when using SSL web proxies). Or said differently: are you going to enforce TLS encryption to your outbound smarthosts using STS? Cheers David _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
