On Mon, May 11, 2015 at 10:43:23PM +0200, Johannes L??thberg wrote: > On 11/05, Gilles Chehade wrote: > >Hi, > > > >On Mon, May 11, 2015 at 07:25:19AM -0700, Seth wrote: > >>At this point you might think you can make a choice: "I'll require > >>encryption on all my connections and accept the tradeoff of only receiving > >>from and delivering to servers that support STARTTLS". Or, "I'll make a > >>whitelist of known domains for which I require STARTTLS because I know they > >>support it". > >> > > > >This is what you can achieve with "require-tls" ... > > > > There is one server which has a feature to automatically save domains to a > whitelist to always force TLS on, though I don't remember which one. It > seems like it could be nice to implement if it wouldn't be too hard. >
table validcrt file:/etc/mail/hosts-with-valid-certs accept for domain <validcrt> relay tls verify > >>DNSSEC > >> > > > >DANE offers good protection about this, I actually have prototype code for > >DANE support in OpenSMTPD but: > > > >1- it requires libasr to support DNSSEC, otherwise we just moved the MITM > > issue to the DNS protocol ;-) > > > >2- DNSSEC is still painful to setup, no one does it unfortunately :-/ > > > > That's cool, do you have it public somewhere? And do you know how much work > it would be to support DNSSEC in libasr? > The DANE code ? Nope, it's nowhere public, it is a proof of concept I wrote last weekend to see how much effort would be required in OpenSMTPD to support it. The code relies on a hack because the lka.c code needs a huge refactor if we want it to fit in. I have started working on it, but right now the focus is on the upcoming major release. As for DNSSEC support in libasr, I have not had a very deep look into it so from a quick sight I'd say it's not that much work, I could be wrong. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
