Alexey wrote (2020-05-07):

 AI>> If my current certificate is not good enough then what would be and
 AI>> why?

 AF> You are using certificate issued by a trusted CA that matches your domain
 AF> specified in nodelist, which is fine. If there would be a standard for
 AF> binkps requiring INA to be present and contain a valid domain name, then
 AF> mailers could verify certificates based on domain names and trusted CA,
 AF> as web browsers do. But without a standard there is no security. If there
 AF> will be an IP address in the INA field, how can you verify certificate
 AF> validity?

and with FTS-5004 (binkp.net) it's also not really secure. we don't even have
an informal agreement how to deal with these addresses does the binkp server
have to offer a cert for it's binkp.net address? or should the binkp client
verify the certificate based on the domain the CNAME / SRV record points to?

of course it always can be treat like a self-signed cert.

---