Viktor Dukhovni ietf-dane@dukhovni.org writes:
For those publishing TLSA records for inbound DANE, please make *sure* that you're offering STARTTLS *unconditionally*, to all SMTP clients with no restrictions by client IP address or reputation. Configurations that restrict STARTTLS to a set of "good" IPs are not compatible with DANE.
This is indeed an important point to consider. Never thought of the possibility that the same client would first fail TLS and then start using DANE at some later point in time.
If STARTTLS was disabled with some client IPs for interoperability reasons, resolve those first.
In a perfect world, yes. But in practice: How do you do that?
I don't think it is realistic to offer STARTTLS without some local exception list. There are just too many buggy clients and ignorant sysadmins.
Bjørn