In message <alpine.LSU.2.00.0811121752110.14367@xxxxxxxxxxxxxxxxxxxxxx>, Tony Fi nch writes: > On Wed, 12 Nov 2008, Mark Andrews wrote: > > > > It also stops the small sites being able to use cryptography to stop man > > in the middle attacks as they are forced to insert a middle man. > SMTP over TLS to an MX does NOT protect against man in the middle attacks. It does when you turn on DNSSEC so that it covers the MX RRset, or the synthesized MX RRset when there is no MX RRset but there are address records (also covered by DNSSEC), and match the server certificate to the (synthesized) name in the MX record. We have the technology to do this. People just need to use it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf