Tony wrote (2020-05-04):

 AI>> It's possible to use a self signed certificate. I don't know the
 AI>> ramifications of a self signed certificate vs letsencrypt but it
 AI>> might provide the security and privacy we need.

 TL> Encryption will be fine, but self signed just means you can't trust the
 TL> other end to be who they say they are.

Works fine with SSH. Trust on first use (TOFU) works with TLS too. There is
also DANE / TLSA-records to put the (hash of the) public key in DNS. You could
also put it in the nodelist itself.

 TL> But that's a call the BBS networks have to make.

This is like: that's a call the Internet has to make.

 AI>> Currently I use a certificate from letsencrypt.

 TL> I'm not currently running binkps.  It's been a moving target, and as I've
 TL> said, I won't bother jumping through hoops and binkd doesn't yet support
 TL> TLS natively (that I'm aware of).

Native support in binkd would be nice, on the other hand the workarounds are
not that difficult.

Outgoing connections are easy with binkd:

node 5:6/7@fidonet -pipe "gnutls-cli --logfile /dev/null --no-ca-verification
--strict-tofu --disable-sni *H:24553"

Incoming connections with haproxy are three lines (works for every mailer):

listen binkps
  bind :::24553 ssl crt fidonet.pem
  server binkd 127.0.0.1:24554

Synchronet's BinkIT does support TLS already. But only jumping through hoops
(with binkd) gives you TLS 1.3 connections.

---