It appears that Paul Wouters <paul@xxxxxxxxx> said: >On Oct 31, 2024, at 07:46, Nick Hilliard <nick@xxxxxxxxxx> wrote: >> >> >> In the https world, we've been spoiled by ACME on the server side > >Which I also use for my smtp certificate, glued together with certbot or dehydrated. To use cerrbot, you need a web server at least temporarily answering at the address you use for your mail server, or it needs to be able to stuff records into the domain's DNS at one of the DNS providers on their list. While that's common in small systems, it is not at all in medium and large ones. I use ACME for my mail server certificates, of which I have about 110 since my MX'es have different names for every mail domain they host. It works OK using a great deal of glue I wrote so acme.sh can push records into the zones in my DNS toaster. It was fun but it is not trivial. For the zillionth time, we all agree that using STARTTLS is a fine idea, but mandating it will break a lot of dusty but still useful systems. R's, John -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
