Hello dear Wietse Venema, Viktor Dukhovni, all, there is this IETF draft which asks for support SMTPS (aka really, now), that is Implicit TLS via dedicated port for SMTP. It is not offending Viktor's DANE for SMTP (which i for example cannot use at all without starting to run my own nameserver, as the managed DNS does not offer TLSA; nor DNSSEC as such, yet), but can very well work hand in hand as DANE only makes TLS a MUST, but only via STARTTLS.
The draft invents _smtps._tcp, and here that clashes with postfix's documentation, as that still refers to smtps as the former name of what became submissions a pretty long time ago. Ie, if _smtps._tcp.DOMAIN exists and the port is 0, then the host asserts it supports STARTTLS, if the port is not 0, then it in addition offers Implicit TLS on that port. The draft asks for 26, which is free. If i understood the code right it seems it would be not that hard to implement for postfix, as SRV queries are already in the code path? I added the following to my postfix master.cf: 26 inet n - n - - smtpd -o syslog_name=tlsoutwall -o smtpd_tls_wrappermode=yes -o milter_macro_daemon_name=verify and changed the SRV to # dig _smtps._tcp.sdaoden.eu SRV _smtps._tcp.sdaoden.eu. 14400 IN SRV 0 1 26 sdaoden.eu. after Jeremy Harris of exim.org asked for interoperability tests, and then i indeed received a message of him as via Dec 27 14:44:40 tlsoutwall/smtpd[29085]: Untrusted TLS connection established from ...: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) ... Dec 27 14:44:41 tlsoutwall/smtpd[29085]: disconnect from ... ehlo=1 mail=1 rcpt=1 bdat=1 quit=1 commands=5 which i found terrific: only one EHLO, no STARTTLS roundtrip. Jeremy Harris of course said that it will not become part of the regular "codebase unless there is obvious community interest", and so i am asking whether postfix would be interested in this. A nice Sunday i wish from Germany. Ciao, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | |In Fall and Winter, feel "The Dropbear Bard"s pint(er). | |The banded bear |without a care, |Banged on himself for e'er and e'er | |Farewell, dear collar bear _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
