* on the Mon, Jun 29, 2015 at 06:15:09PM -0700, Carl Byington wrote: > dnssec/dane-smtp closes that loophole. > The receiver needs to care enough about closing that loophole to publish > a dnssec secured tlsa record for _25._tcp.mx-target-name, and the sender > needs to care enough about it to use that tlsa record to enforce a tls- > only policy towards that mx target. And the sender must apply the > constraints in that tlsa record to the X.509 certificate offered by the > receiver.
Yes. Today, if you're running Postfix and you turn on DANE and configure your DNS resolver to do DNSSEC verification, when you send an email to the address I'm sending from right now, the connection between your MTA and mine will be encrypted and authenticated. If a MITM gets in the way and drops the "STARTTLS" advertisement from my EHLO response or inserts their own SSL cert in the middle, it will be detected, logged and the message will stay queued/bounce depending on your config. So all we need is for everyone to adopt DNSSEC and DANE and we're sorted ;) Well, Google, Microsoft and Yahoo doing it would be a nice start. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 * Want to hire me? Currently available for full-time and contracts * https://hireme.grepular.com <- More info here
signature.asc
Description: Digital signature
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
