On 04/27/2016 01:06 AM, Brandon Vincent wrote:
On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder alice@domblogger.net wrote:
Not with a smtp that enforces DANE.
I'm aware of how DANE works.
The only problem is no MTA outside of Postfix implements it.
You can thank the hatred of DNSSEC for that.
I never understood the hatred for DNSSEC.
When I first read about it, it was like a beautiful epiphany.
But DNSSEC adoption is increasing. I keep seeing the green DNSSEC icon in my browser more and more often, when I first started using it was rare.
But the point is, other mail servers may not have implemented yet but Postfix has implemented it, and the stock version in RHEL / CentOS is too old. Barely too old, but too old.
Thus better security it achieved by running a newer version.
Especially since adoption is in fact increasing.