On 2023-03-13 06:06:11 +0800, Jeremy Ardley wrote:
> On 13/3/23 05:52, Vincent Lefevre wrote:
> > Yes, but here, that's optional. So I'm wondering whether you really
> > miss anything. Note also that a client certificate may be sent only
> > if it is requested by the server, and if client certificates are
> > requested, then there are issues with some clients:
> >
> > http://www.postfix.org/TLS_README.html#server_vrfy_client
>
> That document refers to troublesome netscape clients (I didn't know Netscape
> did email?). Netscape went defunct in 2008 so there will be vanishingly few
> still using it.
The document also mentions qmail, which is still used nowadays,
e.g. by apache.org and opengroup.org. I suppose that if the
default is still "off", there's some reason.
> Observing my mailing lists I see several categories of mailer.
>
> * Anonymous TLS connection
> * TLS connection with certificate that can't be verified
> * TLS connection with certificate that can be verified
> * TLS connection with verified R3 (letsencrypt) certificate.
"Anonymous TLS connection from" is what I always get when TLS is
used, and I suppose that's because my server doesn't request a
client certificate ("off"). That's for received mail.
When sending mail, I always have either of
Trusted TLS connection established to
Verified TLS connection established to
probably thanks to DANE (smtp_tls_security_level = dane).
> Each of those options has been chosen by the mail list administrator.
>
> As a general principal it's a good thing to know the system sending you mail
> is genuine. Given the variety, there is no point in rejecting the email if
> there is no certificate, but having a verified certificate could be used to
> streamline any anti-spam processes such as not greylisting. I don't know if
> postfix can do that yet, but it seems it would be a good thing.
I think that DNS attacks are rather rare. Though strong authentication
is useful for various kinds of application, it is much less important
for antispam (I doubt that spammers do DNS attacks to let their spam
through).
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
