> On 13 May 2016, at 01:54, John Levine <[email protected]> wrote: > >> Incompetence will show up consistently and therefore can be detected by >> a considerably simpler mechanism: a testing site, like Qualys SSL Labs. >> I see that there is a checktls.com that does exactly this. Incompetent >> email operators will probably not implement reporting anyway. >> >> Reporting is, however, useful for detecting TLS breakages that don't >> consistently show up, which are much more likely to be caused by, as you >> put it, "evil". > > Maybe, maybe not. If you have several MTAs behind a load balancer, or > geographically distributed MTAs with the usual DNS tricks to point > people at the closest host, and one is misconfigured, the symptom > would be flakiness. A one-off test like Qualys does would likely > to hit one of the good ones.
True, but admins usually at least know where their stuff is (hosted), don't
they?
You can do Qualys on your own:
```
# totally not production ready
pip install --upgrade sslyze
domain="azet.org" # change domain to an array of actual IP addresses if your
DNS is using GeoIP
for mx in $(dig mx ${domain} +short); do sslyze_cli.py --regular
--certinfo_full --starttls=smtp ${mx}; done
```
Kinda.
Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
