[pfx] Re: [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Sat, 08 Feb 2025 18:16:53 -0800 

I tested it: it is true. Setting the default security level to anything other 
than „dane“ (even encrypt, verify, secure…) and having the socketmap server 
return „dane“ downgrades to „may“ (but then negotiates unauth TLS because the 
remote of course supports encryption).
This is a major design flaw, not to say a security bug.

> Am 09.02.2025 um 03:01 schrieb Ömer Güven via Postfix-users 
> <postfix-users@postfix.org>:
> 
> 
> How did I misunderstand the settings if Wietse said that 
> smtp_tls_dane_insecure_mx_policy only defaults to dane, when the 
> smtp_tls_security_level variable is set to dane, else it defaults to may, 
> regardless of the security level returned by smtp_tls_policy_maps?
> 
> Either is Wietse wrong or you didn‘t understand me.
> 
>>> Am 09.02.2025 um 02:53 schrieb Viktor Dukhovni via Postfix-users 
>>> <postfix-users@postfix.org>:
>>> 
>> On Sat, Feb 08, 2025 at 04:41:53PM -0500, Wietse Venema via Postfix-users 
>> wrote:
>> 
>>> 
>>> smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ? 
>>> {dane} : {may}}
>>> 
>>> I have one question:
>>> 
>>> -  Should this expression use the security level from
>>>   main.cf:smtp_tls_security_level?
>>> 
>>> - Or should it use the actual security level after policy lookup?
>>> 
>>> If the latter, then some code will need to be moved.
>> 
>> I don't see a compelling reason to pay the complexity cost to fine-tune
>> this by destination, if absolutely necessary, a destination can be
>> mapped to a transport that has a different parameter value.
>> 
>> --
>>    Viktor.
>> _______________________________________________
>> Postfix-users mailing list -- postfix-users@postfix.org
>> To unsubscribe send an email to postfix-users-le...@postfix.org
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to