SMTP REQUIRETLS (RFC 8689)
Hello, list. It is common knowledge that TLS for server-server SMTP is merely opportunistic and there is no strong guarantee it will be used. Even worse, in many cases MTAs lack any protection against active attacks (e.g. via MitM involving downgrade to plaintext or DNS poisoning to spoof MX records). There is a new SMTP extension called REQUIRETLS (RFC 8689[2]) that can help this by providing clients with a way to require TLS use with authenticated MX records for security-sensitive messages. I would like to start a discussion on how this extension can be useful for postfix users and whether there is a possibility of getting its support. Here are some thoughts from the chasquid developer[3] > ... this RFC introduces significant >interoperability risks, because any MTA that doesn't support REQUIRETLS >(which also requires the target domain to implement MTA-STS or DNSSEC, >both fairly uncommon) will cause the mail to be rejected, which is quite >strong and can easily cause usability problems. > >And this is not that trivial to implement, since it has implications for >DSNs, aliases expansion, etc. It's more intrusive than it might seem. [1]: https://www.rfc-editor.org/rfc/rfc7435.html [2]: https://www.rfc-editor.org/rfc/rfc8689.html [3]: https://groups.google.com/forum/#!topic/chasquid/1boTw1rvU8g Cheers, Max Mazurov
Re: [OT] SOPHOS savdid/savd privilege question
Hi Mr. Ralf, >From what I know about savd - - It was designed to be run by root only. - The daemon was supposed to handle the on-access scanning and the framework that will handle other tasks. - Some tasks include - configuration, thread control, runtime debugging, logging, etc --> which I believe will need root privileges. BTW, I have not tried doing customization with any Sophos required user privileges (always willing to find out if others may have found a way or if there the understanding needs updating.:) Regards, Julius On Thu, Dec 12, 2019 at 9:45 PM Ralf Hildebrandt wrote: > Currently I'm using SOPHOS savdid/savd within rspamd. > > * savdid is running as unprivileged user "sophosav" > * savd, on the other hand, is run as root - probably by default :( > > Naturally, I'd like savd to run as a non-root user, but is that > possible at all? Anybody got some hints and caveats for such a setup? > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG, 80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein >
[OT] SOPHOS savdid/savd privilege question
Currently I'm using SOPHOS savdid/savd within rspamd. * savdid is running as unprivileged user "sophosav" * savd, on the other hand, is run as root - probably by default :( Naturally, I'd like savd to run as a non-root user, but is that possible at all? Anybody got some hints and caveats for such a setup? -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
