On Wed, Mar 06, 2013 at 02:52:31PM -0500, Paul Wouters wrote:
> >>*ducks*
> >
> >No need to duck
>
> I was ducking for other people :)
>
> >, if DNSSEC serves-up usable TLSA records, then
> >indeed Postfix won't deliver without TLS.
>
> And that is what the majority did not want the specification to mean.
> They wanted the "is TLS mandatory for this connection or not" to be
> signaled with a separate record, the draft had HASTLS. However, that
> draft hasn't moved at all in over a year, and I am personally in favour
> of using the presence of a TLSA record to mean "do not contact without
> TLS".
Perhaps this has changed:
https://tools.ietf.org/html/draft-ietf-dane-srv-02#section-3.2
https://tools.ietf.org/html/draft-ietf-dane-smtp-01#section-3
Both say that TLS is mandatory when "secure" TLSA records are
present even if unusable! Based on this, Postfix will do mandatory
TLS in this case, but without PKIX validation, providing the usual
(for MTAs) protection from passive eavesdropping. The legacy public
CA PKI simply does not work well enough for MTAs to be broadly
useful.
Thanks for bringing my attention to this issue.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
