Tony Finch wrote:
On Mon, 27 Oct 2008, Carl S. Gutekunst wrote:
FWIW, I've actually measured that. Each of Postini's outbound SMTP
relays connects to roughly 30,000 domains per day that claim TLS
support. Of those, about 50% use self-signed certs. (Certain "demo"
certs come up over and over.) Another 35% are CA signed, but contain
errors, like incomplete chains or expired certs. Of the 15% where the
certificate chain is valid, half don't match the MX name. So -- only 7%
to 8% of all MX domains that implement TLS do so correctly. Note that
Postini's outbound service is heavily biased towards B-to-B.
A useful survey, thanks. Did you check certificates against both the
hostname and the mail domain?
Hostname only. My casual inspection of the failed hostnames suggested
that checking the mail domain would not have helped. I do support
wildcards in the cert, e.g., *.psmtp.com. I don't currently support IP
addresses in the cert, although I didn't see any sites that failed
because of that.
Note that there could have been lots of certs with correct hostnames
that I wouldn't have checked. I don't check the hostname unless the cert
chain is valid.
<csg>