From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from forward102j.mail.yandex.net ([5.45.198.243]) by ewsd; Mon Jul 20 18:00:31 EDT 2020
Received: from mxback10j.mail.yandex.net (mxback10j.mail.yandex.net [IPv6:2a02:6b8:0:1619::113])
	by forward102j.mail.yandex.net (Yandex) with ESMTP id B8D12F200FD
	for <9front@9front.org>; Tue, 21 Jul 2020 01:00:17 +0300 (MSK)
Received: from iva6-2d18925256a6.qloud-c.yandex.net (iva6-2d18925256a6.qloud-c.yandex.net [2a02:6b8:c0c:7594:0:640:2d18:9252])
	by mxback10j.mail.yandex.net (mxback/Yandex) with ESMTP id g4mLo8gXzg-0HHaBeJ0;
	Tue, 21 Jul 2020 01:00:17 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1595282417;
	bh=3LknP1zu+MnJF0lOatAuPGI5cSoQNrSY/3jL+4Rq6uw=;
	h=In-Reply-To:Subject:To:From:References:Date:Message-ID;
	b=uY85A3npV4hH9kocoLnA+xdChJY5PdTQpzElk/NQZCD9zAL6UUbsRt1jhDL3OH6uF
	 5ssmdxVeVMRbHvz1jcM5C0YDuQrcngfA6x5ScQQUk/uypYq7Jx3o3ZG9hXand5H10C
	 GB4MEgF/6eG/PCkmLxHdeVm3si3WHR229d55p8fc=
Authentication-Results: mxback10j.mail.yandex.net; dkim=pass header.i=@yandex.com
Received: by iva6-2d18925256a6.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id 0t8HEsTROz-0Gi825c3;
	Tue, 21 Jul 2020 01:00:17 +0300
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client certificate not present)
Date: Tue, 21 Jul 2020 00:00:16 +0200
From: Steffen Nurpmeso <sdaoden@yandex.com>
To: 9front@9front.org
Subject: Re: [9front] patch smtp: ignore unrecognized certificates
Message-ID: <20200720220016.lADRh%sdaoden@yandex.com>
In-Reply-To: <BC75BC74DEF132FCD6A0F1C7E3D9FCEC@felloff.net>
References: <BC75BC74DEF132FCD6A0F1C7E3D9FCEC@felloff.net>
Mail-Followup-To: 9front@9front.org
User-Agent: s-nail v14.9.19-86-gf42d80dc-dirty
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD;
 url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in
 the world can make no bugs.
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: social method 

cinap_lenrek@felloff.net wrote in
<BC75BC74DEF132FCD6A0F1C7E3D9FCEC@felloff.net>:
 |
 |for servers like your isp's or your networks forwarding mailserver
 |(machines that you have direct relation or control over), it makes
 |sense to pin certificates or public key. this is where you use
 |smtps, instead of this insecure STARTTLS contraption.

In November 2019 they waved through RFC 8689:

                        SMTP Require TLS Option

  Abstract

   The SMTP STARTTLS option, used in negotiating transport-level
   encryption of SMTP connections, is not as useful from a security
   standpoint as it might be because of its opportunistic nature;
   message delivery is, by default, prioritized over security.  This
   document describes an SMTP service extension, REQUIRETLS, and a
   message header field, TLS-Required.  If the REQUIRETLS option or TLS-
   Required message header field is used when sending a message, it
   asserts a request on the part of the message sender to override the
   default negotiation of TLS, either by requiring that TLS be
   negotiated when the message is relayed or by requesting that
   recipient-side policy mechanisms such as MTA-STS and DNS-Based
   Authentication of Named Entities (DANE) be ignored when relaying a
   message for which security is unimportant.

P.S.: several times i tried to contact Stanley Lieber in the past,
but never got a response.  If this mail gets through (quite some
did not in the past), would you mind changing my address to
steffen@@sdaoden.eu, please?  Thank you!!

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)