Re: [exim] tls_certificate weirdness

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] tls_certificate weirdness

> On Aug 27, 2016, at 2:09 PM, Phillip Carroll <domainmanager@???> wrote:
>
> DANE seems to be the only solution to that, barring a total replacement of smtp with something else. I had thought (until DANE study) that use of a CA-issued cert was sufficient.


For most SMTP receiving systems, given sufficient operational
skill in keeping DNSSEC functional and TLSA records accurate,
DANE is matter of "good hygiene". If someone does have sensitive
email to deliver, they can do so without STARTTLS stripping or
other downgrade attacks.

That said, not everyone has to be an early adopter. DANE is still
bleeding edge. By the end of this year there'll likely be around
1 million DANE-enabled domains, mostly small domains operated by
hosting providers. Today, the number of DANE SMTP domains in my
survey is a bit over 55,000, handled by just under 2200 MX host
"pools" (counting multiple MX hosts that share the same certificate
or the same DNS zone as a single "pool").

Deployment on personal, corporate and large email provider systems
will take longer. There are of course a few notable exceptions
in the latter camp, for example:

    posteo.de
    mailbox.org
    kabelmail.de
    bund.de
    gmx.de
    t-2.net
    comcast.net
    ...


come to mind.

-- 
    Viktor.