Re: We're the only one...
SMTP, unlike HTTPS, has no way to present you the right certificate when you connect.
Yes it does.
When you connect to an MTA and go through the TLS procedure, you get the certificate for that MTA. If you get a certificate for a different MTA, something is bogus.
No, you didn't, exactly like a CNAME doesn't imply any trust relationship.
When you publish a record that claims a given machine will handle your email traffic, that is a trust relationship. You forge the realationship. and you take the rewards and penalties that that implies.
A web server can be smart enough to present the correct certificate for a request even if it comes from a CNAME resolution, an SMTP server can't, because STARTTLS happens before the sender can tell what domain is going to send to.
An MTA produces its own certificate. The trust relationship is forged in declaring that MX for the domain. And you secure that with DNSSEC...
But feel free to believe broken security is good just because you get some encryption which is close to useless.
Look, you clearly don't understand some part of this whole technology. My bet at the moment, based on what you've posted so far, is that you think the MX record gives you an IP address. Would that be your opinion? Because it most assuredly isn't so.
Vic.
Biting the hand that feeds IT
