Re: Python standard library defaults to insecure TLS for mail protocols

[nightmare.yeah27 () aceecat org]

On Thu, Feb 01, 2024 at 09:27:15PM +0100, Hanno Böck wrote:

> > Relaying *MTAs* do not usually verify the certificate of the
> > server they connect to.

> Even that isn't true any more in 2024. The largest mail providers
> (and plenty of small ones) all support MTA-STS. So in most cases,
> certificate validity and hostnames are checked.

> > When they do, it creates problems because MTA certificates are
> > very often self-signed. IIRC Yahoo relays in particular used to
> > have this problem (or still do?)

> Doubtful:
> host -t txt _mta-sts.yahoo.com
> _mta-sts.yahoo.com descriptive text "v=STSv1; id=20161109010200Z;"

> If they had invalid certs, they wouldn't receive any mails from
> MTA-STS supporting senders. I think someone would've noticed.

I see little point in re-litigating the rest of the argument, but I
should note that I meant this the other way. Yahoo used to be the one
major *sender* provider that checked the recipient certs, and when it
failed it fell back to plaintext.

-- 
Ian