Open jap opened 3 months ago
As SMTP STARTTLS checks are on the roadmap, and there is infrastructure to query DNS, maybe it makes sense to add the option to validate that the certificate offered in SMTP STARTTLS matches the DANE records to the roadmap as well.
To reduce implementation effort, maybe limit it to the sane subset of DANE, so options 3 / 1 / 1 as advised in https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md#publishing-dane-records
As SMTP STARTTLS checks are on the roadmap, and there is infrastructure to query DNS, maybe it makes sense to add the option to validate that the certificate offered in SMTP STARTTLS matches the DANE records to the roadmap as well.
To reduce implementation effort, maybe limit it to the sane subset of DANE, so options 3 / 1 / 1 as advised in https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md#publishing-dane-records