Loading ...
Sorry, an error occurred while loading the content.

Re: Enforced TLS per MX

Expand Messages
  • Wietse Venema
    ... I see. This was a property of the legacy tls-per-site table. Wietse
    Message 1 of 7 , Feb 22, 2013
    • 0 Attachment
      Viktor Dukhovni:
      > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
      >
      > > > We are trying to establish enforced TLS with a partner that hosts about
      > > > 2000 recipient domains. All of these point to the same four MX records:
      > > >
      > > > host[1-4].example.com
      > > >
      > > > As I did not want to specify all of these domains in our tls_policy
      > > > file, I wanted to ask if there is any option to enforce TLS by those MX
      > > > addresses.
      > >
      > > Surely, the policy table is indexed by MX hostname as well as
      > > recipient domain.
      >
      > No, it is not. Only the nexthop domain is used since the MX host

      I see. This was a property of the legacy tls-per-site table.

      Wietse
    • Viktor Dukhovni
      ... Yep, security is a pain. I did not want to provide a false sense of security with the new policy table. None of the fancy certificate verification is worth
      Message 2 of 7 , Feb 22, 2013
      • 0 Attachment
        On Fri, Feb 22, 2013 at 11:33:53AM -0500, Wietse Venema wrote:

        > Viktor Dukhovni:
        > > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
        > >
        > > > > We are trying to establish enforced TLS with a partner that hosts about
        > > > > 2000 recipient domains. All of these point to the same four MX records:
        > > > >
        > > > > host[1-4].example.com
        > > > >
        > > > > As I did not want to specify all of these domains in our tls_policy
        > > > > file, I wanted to ask if there is any option to enforce TLS by those MX
        > > > > addresses.
        > > >
        > > > Surely, the policy table is indexed by MX hostname as well as
        > > > recipient domain.
        > >
        > > No, it is not. Only the nexthop domain is used since the MX host
        >
        > I see. This was a property of the legacy tls-per-site table.

        Yep, security is a pain. I did not want to provide a false sense
        of security with the new policy table. None of the fancy certificate
        verification is worth much if it is trivially subverted with a
        forged DNS response. We will be able to meet user expectations
        once DNSSEC is more pervasive (5-10 years with a bit of luck,
        they will typically be running 2.11 or later by then too).

        --
        Viktor.
      • Jan P. Kessler
        ... So it would have the same quality as the encrypt action, no? Something between 0 and 100, that could be explicitly mentioned in the docs. Doesn t help
        Message 3 of 7 , Feb 27, 2013
        • 0 Attachment
          Am 22.02.2013 17:06, schrieb Viktor Dukhovni:
          > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
          >
          >>> We are trying to establish enforced TLS with a partner that hosts about
          >>> 2000 recipient domains. All of these point to the same four MX records:
          >>>
          >>> host[1-4].example.com
          >>>
          >>> As I did not want to specify all of these domains in our tls_policy
          >>> file, I wanted to ask if there is any option to enforce TLS by those MX
          >>> addresses.
          >> Surely, the policy table is indexed by MX hostname as well as
          >> recipient domain.
          > No, it is not. Only the nexthop domain is used since the MX host
          > is derived from unauthenicated MX lookups and is trivially subject
          > to MITM attacks.

          So it would have the same "quality" as the "encrypt" action, no?
          Something between 0 and 100, that could be explicitly mentioned in the
          docs. Doesn't help with a MITM but keeps out the firewall/provider guy
          with debug/snoop/tcpdump - and your idp of course :-(

          But I understand the point and agree with it although it doesn't make me
          very happy. We are replacing an interconnection between some companies
          with several 1000s of domains (actively used, frequently enhanced) via
          leased lines. This required (and unfortunately still requires) a
          database for domain exchange and some kind of 'administrative
          discipline' to keep it updated in time. My expectation is that DNSSEC
          will be globally used before the last point is going to function properly ;)
        • Viktor Dukhovni
          ... Yes. -- Viktor.
          Message 4 of 7 , Feb 27, 2013
          • 0 Attachment
            On Thu, Feb 28, 2013 at 12:25:53AM +0100, Jan P. Kessler wrote:

            > Am 22.02.2013 17:06, schrieb Viktor Dukhovni:
            >
            > > > Surely, the policy table is indexed by MX hostname as well as
            > > > recipient domain.
            > >
            > > No, it is not. Only the nexthop domain is used since the MX host
            > > is derived from unauthenicated MX lookups and is trivially subject
            > > to MITM attacks.
            >
            > So it would have the same "quality" as the "encrypt" action, no?

            Yes.

            --
            Viktor.
          Your message has been successfully submitted and would be delivered to recipients shortly.