Loading ...
Sorry, an error occurred while loading the content.

Re: Lookup key of smtp_tls_policy_maps

Expand Messages
  • martin f krafft
    ... Good point, very illuminating perspective; thank you for clearing this up for me. ... But I beg to differ with your hindsight, but only with a small
    Message 1 of 5 , Aug 30, 2010
    • 0 Attachment
      also sprach Victor Duchovni <Victor.Duchovni@...> [2010.08.30.1611 +0200]:
      > > Is it intentional then that the TLS policy map is searched for
      > > the nexthop, if one is defined there?
      >
      > Yes.
      >
      > > Does it /also/ check the policy for the recipient domain?
      >
      > No. TLS policy is by nexthop. TLS is a hop-by-hop security
      > protocol, not an end-to-end security mechanism like S/MIME or
      > OpenPGP.

      Good point, very illuminating perspective; thank you for clearing
      this up for me.

      > > Now you are talking about the verification match. You say that
      > > it's not possible to use DNS data for verification. In the light
      > > of this, what then is the difference between the "verify" and
      > > the "secure" policies?
      >
      > The default matching rules for "verify" include the MX hostname.
      > The "verify" security level is not recommended. Its inclusion in
      > the design is (with 20/20 hindsight) an error. Since one can
      > specify the matching rules for "secure", there is not really
      > a need for a different "verify" level that differs only in the
      > default matching rules.

      But I beg to differ with your hindsight, but only with a small
      use-case: if you can be sure that *all* DNS responses are
      secure/trustworthy (read: closed set of zones, DNSSEC validation by
      the recursor on the MX), then "verify" allows you to keep the match
      information in one place: the DNS MX records.

      Arguably, this is a teeny-tiny use-case, so I tend to agree with
      you.

      Thanks,

      --
      martin | http://madduck.net/ | http://two.sentenc.es/

      "america may be unique in being a country which has leapt
      from barbarism to decadence without touching civilization."
      -- john o'hara

      spamtraps: madduck.bogus@...
    Your message has been successfully submitted and would be delivered to recipients shortly.