On 23 Aug 2015, at 19:47, Paul Wouters wrote: > On Sun, 23 Aug 2015, Patrik Fältström wrote: > >> Also, in my example the RRSet the MX is in is _unsigned_: >> >> example.com. IN MX 0 mail.example.net. >> >> 2. Delivery of the mail over TLS to mail.example.net. > > so example.com is unsigned? and mail.example.net is signed, and the TLSA > record in example.net is signed.
Correct. > In that case, I believe TLS will be used but the TLSA cannot be > verified, so while delivery happens over TLS, there is no way to > verify the identity of the receiver because the MX record could have > been spoofed. Excuse me for being slow here. What do you mean by "the TLSA cannot be verified"? To be more precise: Unsigned RRSET contain: example.net. IN MX 0 mail.example.com. Signed (and properly validated) RRSETs that contains these two records and a few more: mail.example.com. IN A 192.168.1.1 _426._tcp.mail.example.om. IN TLSA .... I.e. if only looking at mail.example.com. and _426._tcp.mail.example.com. that is a 100% properly setup DANE "thing". > I think you are arguing that it should deliver TLS only after validation > of the TLSA record for mail.example.net. That validation is a false > sense of security though. > > I don't think mail delivery will be halted. since the example.com domain > is unsigned, anonymous TLS will be used when available, and no > verification will take place. > > I'm not sure what you are proposing to change? I am not sure I am proposing a change. :-) What seems to have happened in the tests that Jan did was that IF the MX was not signed, BUT the TLSA was signed and validated correctly, THEN postfix did _NOT_ deliver the email. At all. I think that behaviour is wrong, and am unsure whether it is a bug in postfix or whether it is a bug in the spec. Patrik
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
