[pfx] [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Sat, 08 Feb 2025 08:29:26 -0800

Hi!

RFC 7672 says that Opportunistic DANE (security level „dane“, but not „dane-only“) may accept non-DNSSEC derived MX records be eligible for DANE on the DNSSEC-signed (e. g. external) SMTP server.

RFC 7672 Section 2.2.1:


   Since the protocol in this memo is an Opportunistic Security protocol
   [RFC7435], the SMTP client MAY elect to use DANE TLS (as described in
   Section 2.2.2 below), even with MX hosts obtained via an "insecure"
   MX RRset.  For example, when a hosting provider has a signed DNS zone
   and publishes TLSA records for its SMTP servers, hosted domains that
   are not signed may still benefit from the provider's TLSA records.
   Deliveries via the provider's SMTP servers will not be subject to
   active attacks when sending SMTP clients elect to use the provider's
   TLSA records (active attacks that tamper with the "insecure" MX RRset
   are of course still possible in this case).

   When the MX records are not (DNSSEC) signed, an active attacker can
   redirect SMTP clients to MX hosts of his choice.  Such redirection is
   tamper-evident when SMTP servers found via "insecure" MX records are
   recorded as the next-hop relay in the MTA delivery logs in their
   original (rather than CNAME-expanded) form.  Sending MTAs SHOULD log
   unexpanded MX hostnames when these result from "insecure" MX lookups.
   Any successful authentication via an insecurely determined MX host
   MUST NOT be misrepresented in the mail logs as secure delivery to the
   intended next-hop domain.

This currently isn‘t the case. Even if a socketmap server returns „dane“, Postfix doesn‘t choose DANE when the MX is retrieved with no DNSSEC signature.
I propose relaxing the check for DNSSEC-signed MX when security level is „dane“ (but not for „dane-only“), but log that the MX isn‘t verified, but Opportunistic DANE is chosen anyway (as the RFC recommends).

Best regards,
  Ömer

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to