Den 2015-02-24 00:23, skrev Kevin San Diego:
model. For the types of customers who already have to have public CA-cert validated SMTP communications (and associated accept on validation success/drop on validation failure policy set up with critical partners), the currently deployed field of MTAs which don't yet have SMTP client support for DANE at the won't be able to validate the TLS session if a DANE EE cert is used in lieu. Given that MX records point to a specific host or set of hosts on a per domain basis, I presently don't see how an organization could simultaneously support both traditional CA-cert validated TLS connections and TLSA (mode 2/3) validated TLS connections. Receiving SMTP servers can typically only be configured with a single server certificate per IP/port binding.
This was the bit that got me really confused as well. If I understand it correctly, you can still use mode 2/3 on a CA-signed certificate, you're just telling DANE-capable clients that they're not supposed to validate the certificate against the PKIX infrastructure. Non-DANE-capable clients will still do their normal thing when they see the certificate in their SSL/TLS sessions.
Regards Eivind Olsen