[pfx] Options to deal with aliases to external domains in DANE setup?

Wed, 30 Oct 2024 06:15:09 -0700 

Dear Postfix folks,
We use an external company for managing job applications. We set up the domain jobs.molgen.mpg.de as an alias, and the domain is used in email addresses for sending and receiving emails. 

    $ host jobs.molgen.mpg.de
    jobs.molgen.mpg.de is an alias for cs-balancers-1.b-ite.com.
    cs-balancers-1.b-ite.com has address 62.204.161.138
    cs-balancers-1.b-ite.com has address 62.204.161.137
    cs-balancers-1.b-ite.com has IPv6 address 2a02:f90:0:195::105a
    cs-balancers-1.b-ite.com has IPv6 address 2a02:f90:0:195::105b
    cs-balancers-1.b-ite.com mail is handled by 1 mail.b-ite.com.
We are using DANE, but of course the external service provider does not. Internally I configured the tls_policy *dane-only* for molgen.mpg.de/.molgen.mpg.de which of course leads to trouble in this situation. To work around it, I now have: 

molgen.mpg.de                   dane-only
.molgen.mpg.de                  dane-only
jobs.molgen.mpg.de              encrypt
Should I just switch to *dane* and be done with it, leave the special case entry above and harden it to *secure*, or somehow configure our server as MX, and then let it deliver the message to the external service provider SMTP server. 


Kind regards,

Paul
PS: The external service provider of course does not have the best security configuration [1]. 


Servers that don't enforce cipher suite preferences select the first
cipher suite they support from the list provided by clients. This
approach doesn't guarantee that best-possible cipher suite is
negotiated.



Even though this server supports TLS 1.2, the cipher suite
configuration is suboptimal. We recommend that you reconfigure the
server so that the cipher suites providing forward secrecy (ECDHE or
DHE in the name, in this order of preference) and authenticated
encryption (GCM or CHACHA20 in the name) are at the top. The server
must also be configured to select the best-available suite.
[1]: https://www.hardenize.com/report/jobs.molgen.mpg.de/1730279877#email_tls 
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to