[linkregister]

Long before Let's Encrypt, SMTP transactions with STARTTLS have permitted self-signed and non-root-CA chained certificates.

The pervasiveness of self-signed certificates for SMTP servers means that rejecting them would drop large amounts of email. STARTTLS is basically useful for thwarting passive collection of network traffic.

[makomk]

Gmail's new rules on unencrypted e-mail don't support self-signed certificates though - you have to use an offcial CA-issued certificate from one of Google's approved CAs.

[jbclements]

I'm not so sure about that; I use a self-signed cert for port 25 TLS, and I just sent from google to my domain, and didn't see a warning.

[zAy0LfpBZLC8mAC]

What's your source for that?

[technion]

That doesn't bring a lot of extra security though, because there's no name verification. I can get a valid letsencrypt cert on anyrandomdomain.com, and if I can hijack your MX and point at it, it's "valid".

[hueving]

What? How can you get a cert for a domain you don't control?

[technion]

I don't need to control your domain. If I control my own domain, which could be any throwaway domain I just purchased, I can get an SSL certificate on it.

And if I can point your MX records there, via hijack or any other means, then I have a valid SSL certificate for receiving your email.