• Evgeniy Berdnikov via Exim-users [2023-03-29 11:22]: > On Wed, Mar 29, 2023 at 09:40:16AM +0200, Kirill Miazine via Exim-users wrote:
> > I understand it might help a little bit to require TLS, but without
> > verficiation that a certificate is valid, TLS requirement is not such
> > a big win, is it?
>
> Depends on your aims. Pure encryption is one level of security,
> protection against MitM attacks is another level.
Exactly. The former preventing passive data collection, the later --
active. Still, if *I* were to state a legal requirement that certain
domains use TLS, I'd also ask for verification either via TLS or
DANE, because just TLS is a very small win.
> > I too have a transport that would require TLS for certain sending
> > domains, but I haven't yet required TLS verification, because it often
> > breaks.... So there we are...
>
> Probably you haven't yet clear understanding of your own needs.
I was just doing an experiment setting up a domain that would require
TLS for receiving and TLS for sending, and ideally I'd want
verification when sending, but we aren't there yet.