Joachim Lindenberg:
> Given the fact that "encrypt" implies no "dane" this sounds like
> a bad idea for interoperability with dane sites.
Wietse:
> No problem. Postfix currently does not try DANE (or STS) with the
> default TLS security level "may".
Joachim Lindenberg:
> Correct. But would you then ignore the suggested _smtps.example.dom
> setting with "dane", "dane-only", "secure", or "verify" TLS security
> level?
The idea is that if local policy is 'encrypt' or stronger (verify,
dane-only, etc.), then local policy takes prcedence.
WIth Postfix, dane and sts are is a bit of a bastard: in practice
they will allow a range:
- plaintext and unverified TLS if a receiver has no DANE or STS policy,
- verified (PKI or other) TLS if a receiver has a DANE or STS policy.
It will require some care to respect the 'starttls policy hint'
from SRV, in the absence of a DANE or STS policy.
Joachim Lindenberg:
> All in all, imho interoperability with RFC 7672 and RFC 8461 are
> not addressed sufficiently yet.
Wietse:
> Can you be more specific? I think it does not interfere with either
> DANE or STS.
Joachim Lindenberg:
> To some extend the approach probably replaces blocking calls on
> TCP layer with blocking calls on DNS. If we see DNS also moving
Postfix blocks on DNS. The SMTP reads and writes are also blocking.
The TLS reads and writes are non-blocking if implemented in tlsproxy,
and blocking if implemented in the SMTP client itself.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
