On 2/3/19 1:36 PM, Viktor Dukhovni via Exim-users wrote:
On Thu, Jan 31, 2019 at 08:58:04PM -0800, Alice Wonder via Exim-users wrote:
One thing I am hoping is that an update to the standard will be
published that allows the mode (enforce or testing or none) to be
published in the DNS record for MTA-STS.
When the zone is DNSSEC signed, the MX record could then be trusted and
there would be no need to query the https server.
When the zone is DNSSEC-signed it can use DANE if its MX hosts are
also in signed zones and have TLSA records. Even Google now has a
few signed MX hosts in the form of mx[1234].smtp.goog . These are
actually alternative names for the same underlying bunch of nodes
as the unsigned names you're used to. Once they add TLSA records,
they'll have support for inbound DANE.
So I don't see a compelling case for signed domains to go with
MTA-STS.
Some don't want to have coordinate certificates with fingerprints in
TLSA records, as more hosting providers provide DNSSEC just by default
when you use their DNS as well, MTA-STS may be easier than new
fingerprint from keypair every time generating new key.
And some distribution of Exim ship without DANE enabled at build-time.
Fedora, for example. Not sure why.
But I agree DANE for SMTP is better.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
