Loading ...
Sorry, an error occurred while loading the content.

291505Re: Enforced TLS per MX

Expand Messages
  • Viktor Dukhovni
    Feb 22, 2013
    • 0 Attachment
      On Fri, Feb 22, 2013 at 11:33:53AM -0500, Wietse Venema wrote:

      > Viktor Dukhovni:
      > > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
      > >
      > > > > We are trying to establish enforced TLS with a partner that hosts about
      > > > > 2000 recipient domains. All of these point to the same four MX records:
      > > > >
      > > > > host[1-4].example.com
      > > > >
      > > > > As I did not want to specify all of these domains in our tls_policy
      > > > > file, I wanted to ask if there is any option to enforce TLS by those MX
      > > > > addresses.
      > > >
      > > > Surely, the policy table is indexed by MX hostname as well as
      > > > recipient domain.
      > >
      > > No, it is not. Only the nexthop domain is used since the MX host
      >
      > I see. This was a property of the legacy tls-per-site table.

      Yep, security is a pain. I did not want to provide a false sense
      of security with the new policy table. None of the fancy certificate
      verification is worth much if it is trivially subverted with a
      forged DNS response. We will be able to meet user expectations
      once DNSSEC is more pervasive (5-10 years with a bit of luck,
      they will typically be running 2.11 or later by then too).

      --
      Viktor.
    • Show all 7 messages in this topic