Loading ...
Sorry, an error occurred while loading the content.

291672Re: Enforced TLS per MX

Expand Messages
  • Jan P. Kessler
    Feb 27, 2013
    • 0 Attachment
      Am 22.02.2013 17:06, schrieb Viktor Dukhovni:
      > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
      >>> We are trying to establish enforced TLS with a partner that hosts about
      >>> 2000 recipient domains. All of these point to the same four MX records:
      >>> host[1-4].example.com
      >>> As I did not want to specify all of these domains in our tls_policy
      >>> file, I wanted to ask if there is any option to enforce TLS by those MX
      >>> addresses.
      >> Surely, the policy table is indexed by MX hostname as well as
      >> recipient domain.
      > No, it is not. Only the nexthop domain is used since the MX host
      > is derived from unauthenicated MX lookups and is trivially subject
      > to MITM attacks.

      So it would have the same "quality" as the "encrypt" action, no?
      Something between 0 and 100, that could be explicitly mentioned in the
      docs. Doesn't help with a MITM but keeps out the firewall/provider guy
      with debug/snoop/tcpdump - and your idp of course :-(

      But I understand the point and agree with it although it doesn't make me
      very happy. We are replacing an interconnection between some companies
      with several 1000s of domains (actively used, frequently enhanced) via
      leased lines. This required (and unfortunately still requires) a
      database for domain exchange and some kind of 'administrative
      discipline' to keep it updated in time. My expectation is that DNSSEC
      will be globally used before the last point is going to function properly ;)
    • Show all 7 messages in this topic