> Il 7 gennaio 2019 alle 12.36 Alice Wonder < [email protected] > mailto:[email protected] > ha scritto: > > > On 1/7/19 2:46 AM, Vittorio Bertola wrote: > > > > > > > > > > On that point, you are right when you say that big > systems that host > > mail for thousands or millions of domains are unlikely to ever > > implement > > MTA-STS, as that requires to activate one HTTP service per each > > domain - > > but we already have DANE for that case. > > > > > > > Additional note on this. > I and many others already have policy maps requiring "secure" (starttls > + PKI validating certificate) connection to the "major" providers of > third-party mail services. > You should also accept the other flavour of "secure" (starttls + DANE + any certificate matching the DANE records, even a self-signed one), though major providers will use PKI-validating certificates anyway, even with DANE. Also, without DANE, a PKI-validating certificate is not enough if you don't check that the hostname in the certificate matches the intended destination. I'm sure you know, but just for the sake of completeness, if anyone actually wanted to write a best practice document...
Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange [email protected] mailto:[email protected] Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
