Hi Kari, On 25/08/2010 11:30, Kari Hurtta wrote: > And because mail server name and email address does not need to be any > connection also checking of signature of certificate agaist CA does not > help much. It does not protect attack agaist MX records on DNS. true - so in an ideal world, we would need DNSSec everywhere and strict certificate checking to significantly reduce the possibility of MiTM attacks. In a not so ideal world, every little bit helps, so if we can get mail servers to routinely use encryption between each other, that's a nice first step and using valid certificates that can actually be verified is a second one. Both will help significantly already. Holger
