On Mon, 2016-10-24 at 13:00 +0000, Ivan Shmakov wrote: > > > > Andrey Rahmatullin <wrar@debian.org> writes: > > On Mon, Oct 24, 2016 at 11:45:33AM +0000, Ivan Shmakov wrote: > > > >> $ gnutls-cli --starttls -p 25 bendel.debian.org > > […] > > >> Connecting to '82.195.75.100:443'... > > > I cannot reproduce gnutls-cli connecting to :443 when asked :25. > > Indeed, my mistake; I somehow managed to MIME the wrong > transcript. Here’s the correct one. [...] Those certificates look as expected. Since TLS encryption of SMTP between servers is opportunistic, there's no particular reason to use a widely trusted CA for server certificates. A MITM can just as easily block STARTTLS as substitute their own key. Ben. -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong.
Attachment:
signature.asc
Description: This is a digitally signed message part