On Fri, Feb 22, 2013 at 11:33:53AM -0500, Wietse Venema wrote:
> Viktor Dukhovni:
> > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote:
> >
> > > > We are trying to establish enforced TLS with a partner that hosts about
> > > > 2000 recipient domains. All of these point to the same four MX records:
> > > >
> > > > host[1-4].example.com
> > > >
> > > > As I did not want to specify all of these domains in our tls_policy
> > > > file, I wanted to ask if there is any option to enforce TLS by those MX
> > > > addresses.
> > >
> > > Surely, the policy table is indexed by MX hostname as well as
> > > recipient domain.
> >
> > No, it is not. Only the nexthop domain is used since the MX host
>
> I see. This was a property of the legacy tls-per-site table.
Yep, security is a pain. I did not want to provide a false sense
of security with the new policy table. None of the fancy certificate
verification is worth much if it is trivially subverted with a
forged DNS response. We will be able to meet user expectations
once DNSSEC is more pervasive (5-10 years with a bit of luck,
they will typically be running 2.11 or later by then too).
--
Viktor.
