Re: We're the only one...
It's not enough to check if a certificate is valid. You should ensure the certificate is the right one for the domain of the recipients
Yes. That's what's meant by "verifying" the certificate. MTAs are trivially configurable to do such verification - but as yet, there aren't enough with appropriate certificates in place for that to be worth doing.
That still doesn't mean that OE is useless, it just means that there is room for improvement - and the code to do it is already in place.
The problem is, as another commented pointed out, many MX records redirect to a different servers which hosts the mailboxes - often in its own different domain.
That is the domain owner's decision. That's what "ownership" means. It's also relatively easy to secure that link to the extent of the trust system in SSL by securing the MX record with DNSSEC.
The way SMTP is designed today it could only work if an MX record points to servers for the same domain - an MTA could check if recipient somebody@foo.com will be really delivered to a server using a foo.com certificate, after it obtained the server certificate.
And if it's important to you to secure the domain, you do that. If you choose not to do so, there's no grounds for complaint later.
But if I'm sending to foo.com, ask the MX record and get aspmx.1.google.com, EHLO/STARTTLS it and the server answer with a valid certificate for aspmx.1.google.com, what the the MTA should do?
Take it. If the domain owner has said he trusts that server, all you need is a verified certificate. If that's not enough security for you - don't trust someone else's server.
And what if the DNS is poisoned
If you can poison DNSSEC, you can poison anything, so all talk of security is moot. If you require security - use DNSSEC to obviate the DNS poisoning attacks.
Yes, you get some encryption which may be often better than nothing
It is better than nothing. Cleartext is a mistake far bigger than being vulnerable to a few privileged attackers.
And your email will still be in cleartext on the server, with no protection.
If your mail is important enough to you that that is a problem, make sure the server is encrypted. If you're using someone else's server, you probably don't care that mush.
TL;DR: security isn't an all-or-nothing affair; just because you're not protected against every single possible attack, that doesn't mean you shouldn't be proteecting yourself against what you can.
Vic.
Biting the hand that feeds IT
