On Sun, Apr 10, 2016 at 12:00:07AM +0200, David Schweikert wrote:
> > Just because email is ultimately going to say Gmail, if my nexthop
> > relay is some corporate outbound smarthost, the relevant STS policy
> > is for that relay, not the destination domain.
>
> OK, got it. But this is going to work only for nexthops / relays
> specified as a mail domain (and not as hosts), right?
Either. For example, DANE works regardless of whether routing is
via MX records or directly to the nexthop as a hostname. A domain
with no MX records, or a administrator-specified route in which
the nexthop is not subject to MX lookups (a [nexthop.example] in
square brackets with Sendmail and Postfix) is implicitly equivalent
to:
nexhop.example. IN MX 0 nexthop.example.
So if a Postfix transport table contains:
examle.com smtp:example.net
then we deliver example.com's mail via the MX hosts of example.net
with whatever policy pertains to other mail sent via example.net.
If, on the other hand, the transport table contains:
examle.org smtp:[smtp.example.name]
then mail is sent via the smtp.example.name relay, and the TLS
policy is that for "smtp.example.name" as a domain with no MX
records.
> I am not so sure about the usefulness of this, though.
It is quite useful, because a smarthost is not the only case,
sometimes one explicitly redirects mail for remote domains to other
domains and not infrequently MX lookups are not disabled for such a
"redirect".
> I mean: in case
> you are modifying the routing for a mail domain, I would have thought
> that you also need to disable the STS check (like you need to disable
> certificate pinning when using SSL web proxies).
Well, we don't disable DANE checks in such a case. It both economy
of mechanism and useful to apply the relevant policy for the nexthop
domain regardless of the reason the domain is selected.
And it would certainly be wrong to use the policy for the recipient
domain.
> Or said differently: are you going to enforce TLS encryption to your
> outbound smarthosts using STS?
Yes. STS is a transport policy, not an end-to-end policy. Therefore
it applies to the logical transport nexthop.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
