There's been some discussion on the list recently about using the 'relay
tls verify' to mitigate STARTTLS downgrade attacks. [1]
Gilles suggested using something like this in smtpd.conf as a protective
measure:
table validcrt file:/etc/mail/hosts-with-valid-certs
accept for domain <validcrt> relay tls verify
The question then becomes, how to build the list of domains in the
'validcrt' table.
I've been performing this manually by applying some text processing tools
to the maillogs , but figured there has to be a better way.
The other week I noticed a host 'tls-scan.informatik.uni-bremen.de'
showing up in my spamd logs. I visited the web page and found this
statement on their web site:
"The TLS Policy Database collects information about the TLS capability and
certificate validity of mailservers on the internet. We provide a simple
DNS based database to help you to secure you outgoing email connections."
[2]
Perfect! This could be a useful resource for building a table of STARTTLS
capable mailservers that present verifiable certificates. Combine that
with a rule using the 'relay tls verify' option and I believe this would
greatly improve email transport security.
[1] http://www.mail-archive.com/misc%40opensmtpd.org/msg01967.html
[2] http://tls-scan.informatik.uni-bremen.de/
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org