On Fri, Mar 08, 2024 at 03:05:43PM -0500, Viktor Dukhovni via Postfix-users wrote: > On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users > wrote: > > > Realistically, Gmail and Yahoo do not care about my MTA-STS > > reports. All they care about is that I validate their X.509 certs. > > > > Is there any reason to use something like mta-sts-daemon in that > > transport instead of just setting smtp_tls_security_level=verify ? > > Just using verify leaves you more vulnerable to DNS-based MiTM attacks, > because "verify" uses unvalidated MX hostnames as the "reference > identifiers" in certificate matching. > > With "mta-sts", you are expected to obtain a trusted copy of the MX host > list via HTTPS (trusting one of various WebPKI CAs to authenticate the > website). The attacker first has to obtain a forged certificate for > "mta-sts.<your-domain>", and then forged certificates for one of the > MX hosts. > > If you independently obtain, and periodically recheck, the list of MX > hosts for one or more domains, you can use a TLS policy that lists > those names as the names to check, with either "verify" or "secure", > which are identical once you explicitly specify the match names. > > example.com secure match=mx1.example.com:mx2.example.com
Ah! Very clear, thank you. That's the last thing I need to finish this silly book. ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Absolute FreeBSD, Butterfly Stomp Waltz, TLS Mastery, etc... ### New books: DNSSEC Mastery, Letters to ed(1), $ git sync murder ### _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
