Re: Lookup key of smtp_tls_policy_maps
- also sprach Victor Duchovni <Victor.Duchovni@...> [2010.08.30.1611 +0200]:
> > Is it intentional then that the TLS policy map is searched forGood point, very illuminating perspective; thank you for clearing
> > the nexthop, if one is defined there?
> > Does it /also/ check the policy for the recipient domain?
> No. TLS policy is by nexthop. TLS is a hop-by-hop security
> protocol, not an end-to-end security mechanism like S/MIME or
this up for me.
> > Now you are talking about the verification match. You say thatBut I beg to differ with your hindsight, but only with a small
> > it's not possible to use DNS data for verification. In the light
> > of this, what then is the difference between the "verify" and
> > the "secure" policies?
> The default matching rules for "verify" include the MX hostname.
> The "verify" security level is not recommended. Its inclusion in
> the design is (with 20/20 hindsight) an error. Since one can
> specify the matching rules for "secure", there is not really
> a need for a different "verify" level that differs only in the
> default matching rules.
use-case: if you can be sure that *all* DNS responses are
secure/trustworthy (read: closed set of zones, DNSSEC validation by
the recursor on the MX), then "verify" allows you to keep the match
information in one place: the DNS MX records.
Arguably, this is a teeny-tiny use-case, so I tend to agree with
martin | http://madduck.net/ | http://two.sentenc.es/
"america may be unique in being a country which has leapt
from barbarism to decadence without touching civilization."
-- john o'hara