On Mon, 27 Oct 2008, Carl S. Gutekunst wrote:
FWIW, I've actually measured that. Each of Postini's outbound SMTP
relays connects to roughly 30,000 domains per day that claim TLS
support. Of those, about 50% use self-signed certs. (Certain "demo"
certs come up over and over.) Another 35% are CA signed, but contain
errors, like incomplete chains or expired certs. Of the 15% where the
certificate chain is valid, half don't match the MX name. So -- only 7%
to 8% of all MX domains that implement TLS do so correctly. Note that
Postini's outbound service is heavily biased towards B-to-B.
A useful survey, thanks. Did you check certificates against both the
hostname and the mail domain?
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
FITZROY: NORTH OR NORTHWEST 5 TO 7, PERHAPS GALE 8 LATER. ROUGH OR VERY ROUGH.
RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD.