* Also: the current behavior is counter-intuitive and makes returning „dane“ completely useless unless the default is also set to „dane“, because postfix-tlspol only returns „dane“ if „dane-only“ isn‘t possible because of an unsigned MX record. „dane“ returned while the default is „encrypt“ would equal to returning „may“ and a rather hidden and not-so-obvious security bug. 🥲
Would be great if the next release would fix this! > Am 08.02.2025 um 22:50 schrieb Ömer Güven <omer.gu...@zuplu.com>: > Oh, definitely the latter! Thank you for looking deeper in the code. > > Honoring the evaluated policy would ensure that Postfix tries DANE when the > default is set to for example „encrypt“ and a socketmap server like > postfix-tlspol returns „dane“ (because it detected DANE support after an > insecure MX lookup). > Now I know how I first thought there was a bug: I set my default to „may“ > during experimenting and saw in the logs, that despite the socketmap returned > „dane“, DANE was not used at all to my surprise. > > Ömer > > >> Am 08.02.2025 um 22:43 schrieb Wietse Venema via Postfix-users >> <postfix-users@postfix.org>: >> >> Viktor Dukhovni via Postfix-users: >>>> On Sat, Feb 08, 2025 at 05:28:31PM +0100, ?mer G?ven via Postfix-users >>>> wrote: >>>> RFC 7672 says that Opportunistic DANE (security level ?dane?, but not >>>> ?dane-only?) may accept non-DNSSEC derived MX records be eligible for >>>> DANE on the DNSSEC-signed (e. g. external) SMTP server. >>>> RFC 7672 Section 2.2.1: >>> The primary author of RFC 7672 was also the implementor of DANE support >>> in Postfix (and later OpenSSL), with the implementation developed in >>> parallel with the specification. Unsurprisingly, the Postfix >>> implementation matches the specification. >>>> This currently isn't the case. Even if a socketmap server returns >>>> 'dane' Postfix doesn't choose DANE when the MX is retrieved with no >>>> DNSSEC signature. >>> This is not true. See: >>> http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy >> >> The default for this is: >> >> smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ? >> {dane} : {may}} >> >> I have one question: >> >> - Should this expression use the security level from >> main.cf:smtp_tls_security_level? >> >> - Or should it use the actual security level after policy lookup? >> >> If the latter, then some code will need to be moved. >> >> Wietse >> _______________________________________________ >> Postfix-users mailing list -- postfix-users@postfix.org >> To unsubscribe send an email to postfix-users-le...@postfix.org > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
