On Sun, Feb 09, 2025 at 06:55:50AM +0100, Ömer Güven wrote:
> I‘m the author of postfix-tlspol. I‘m not talking about manually adding
> „dane“ for select destinations in a static map.
> postfix-tlspol does evaluate the domain in realtime and returns the currently
> best available policy.
>
> I have to calculate the worst-case, like an user configuring „encrypt“ as
> default tls policy, and sending a mail to a domain that is not dnssec signed
> itself, but points to a third-party mail provider that securely implements
> TLSA.
> Now tlspol would return „dane“ because the domain does not have all
> requirements for „dane-only“ set, but opportunistic DANE is still a viable
> option.
> Postfix now ignoring that „dane“ reply and simply downgrading to „may“ is
> not-so-trivial for the regular user. I know Postfix would effective use
> unauth TLS, but it still is a theoretical attack vector and worrisome.
You seem to be arguing for a policy-table analogue attribute to override
the global default of insecure MX host handling. I think that makes
more sense than a global default, that depends on per-destination input.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
