[CentOS] Apache/PHP Installation - opinions

Wed Apr 27 08:04:26 UTC 2016
Alice Wonder <alice at domblogger.net>

On 04/27/2016 12:59 AM, Brandon Vincent wrote:
> On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder <alice at domblogger.net> wrote:
>> That is the only reliable way to avoid MITM with SMTP.
>
> Except I can just strip STARTTLS and most MTAs will continue to connect.
>

No you can't.

Not with a smtp that enforces DANE.

If my postfix sees that your SMTP publishes a DANE record then it will 
refuse to connect unless it is a secure connection with a certificate 
that matches the fingerprint in the TLSA record.

See RFC 7672

But the postfix in RHEL / CentOS 7 does not support that.