On 14 Sep 2013, at 16:40, keld(_at_)keldix(_dot_)com wrote:
There are not that many MTA implementations out there so if we can persuade
implementers to provide STARTTLS per default, I see this as a path
with good chances to succeed. We could even advise implementers to generate
certificate. This guidance could be done in an RFC.
How do you propose that receivers verify self-signed certificates?
Note that many MTAs (Exchange, notably) will fail delivery if STARTTLS is
offered, but verification does not succeed. This is stupid because Exchange
will happily deliver to hosts if STARTTLS is not advertised, so it's an
inconsistent policy. (The solution for postmasters is then to either maintain
a table of known stupid hosts, or [as in my case] just turn off server TLS.)
ietf-smtp mailing list