[pfx] Re: [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Sat, 08 Feb 2025 21:56:23 -0800 

I‘m the author of postfix-tlspol. I‘m not talking about manually adding „dane“ 
for select destinations in a static map.
postfix-tlspol does evaluate the domain in realtime and returns the currently 
best available policy.

I have to calculate the worst-case, like an user configuring „encrypt“ as 
default tls policy, and sending a mail to a domain that is not dnssec signed 
itself, but points to a third-party mail provider that securely implements TLSA.
Now tlspol would return „dane“ because the domain does not have all 
requirements for „dane-only“ set, but opportunistic DANE is still a viable 
option.
Postfix now ignoring that „dane“ reply and simply downgrading to „may“ is 
not-so-trivial for the regular user. I know Postfix would effective use unauth 
TLS, but it still is a theoretical attack vector and worrisome.

I mean, I‘ll note this behavior and recommend manually setting 
smtp_tls_dane_insecure_mx_policy to dane in the README of postfix-tlspol, but I 
have to consider the unusual (even broken) setups and worst-cases.

Kind regards
   Ömer

> Am 09.02.2025 um 03:40 schrieb Viktor Dukhovni via Postfix-users 
> <postfix-users@postfix.org>:
> 
> On Sun, Feb 09, 2025 at 03:00:22AM +0100, Ömer Güven wrote:
> 
>> How did I misunderstand the settings if Wietse said that
>> smtp_tls_dane_insecure_mx_policy only defaults to dane, when the
>> smtp_tls_security_level variable is set to dane, else it defaults to
>> may, regardless of the security level returned by
>> smtp_tls_policy_maps?
> 
> It makes little sense to enable opportunistic "dane" only for a select
> few destinations.  If it is generally disabled, the best-effort DANE for
> some, but not necessarily all MX hosts, and not necessarily the right
> ones, isn't worth it.  The parameter is not "useless" when based on the
> global setting, rather than per-destination setting.
> 
> I am not opposed to starting with the per-destination setting, but that
> requires new code, which is not clearly justified.
> 
> --
>    Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to