[pfx] Re: [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Sat, 08 Feb 2025 13:50:30 -0800 

Oh, definitely the latter! Thank you for looking deeper in the code.

Honoring the evaluated policy would ensure that Postfix tries DANE when the 
default is set to for example „encrypt“ and a socketmap server like 
postfix-tlspol returns „dane“ (because it detected DANE support after an 
insecure MX lookup).
Now I know how I first thought there was a bug: I set my default to „may“ 
during experimenting and saw in the logs, that despite the socketmap returned 
„dane“, DANE was not used at all to my surprise.

  Ömer


> Am 08.02.2025 um 22:43 schrieb Wietse Venema via Postfix-users 
> <postfix-users@postfix.org>:
> 
> Viktor Dukhovni via Postfix-users:
>>> On Sat, Feb 08, 2025 at 05:28:31PM +0100, ?mer G?ven via Postfix-users 
>>> wrote:
>>> 
>>>   RFC 7672 says that Opportunistic DANE (security level ?dane?, but not
>>>   ?dane-only?) may accept non-DNSSEC derived MX records be eligible for
>>>   DANE on the DNSSEC-signed (e. g. external) SMTP server.
>>> 
>>>   RFC 7672 Section 2.2.1:
>> 
>> The primary author of RFC 7672 was also the implementor of DANE support
>> in Postfix (and later OpenSSL), with the implementation developed in
>> parallel with the specification.  Unsurprisingly, the Postfix
>> implementation matches the specification.
>> 
>>>   This currently isn't the case. Even if a socketmap server returns
>>>   'dane' Postfix doesn't choose DANE when the MX is retrieved with no
>>>   DNSSEC signature.
>> 
>> This is not true.  See:
>> 
>>    http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy
> 
> The default for this is:
> 
> smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ? 
> {dane} : {may}}
> 
> I have one question:
> 
> -  Should this expression use the security level from
>   main.cf:smtp_tls_security_level?
> 
> - Or should it use the actual security level after policy lookup?
> 
> If the latter, then some code will need to be moved.
> 
>    Wietse
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to