I observed that with postfix-tlspol : mails sent to and from gmail show up as trusted connections
while with postfix-mta-sts-resolver: srnding to gmail shows up as verified connections but recieving from gmail shows up as trusted connections and i was wondering why. cheers On February 9, 2025 5:55:50 AM UTC, "Ömer Güven via Postfix-users" <postfix-users@postfix.org> wrote: >I‘m the author of postfix-tlspol. I‘m not talking about manually adding „dane“ >for select destinations in a static map. >postfix-tlspol does evaluate the domain in realtime and returns the currently >best available policy. > >I have to calculate the worst-case, like an user configuring „encrypt“ as >default tls policy, and sending a mail to a domain that is not dnssec signed >itself, but points to a third-party mail provider that securely implements >TLSA. >Now tlspol would return „dane“ because the domain does not have all >requirements for „dane-only“ set, but opportunistic DANE is still a viable >option. >Postfix now ignoring that „dane“ reply and simply downgrading to „may“ is >not-so-trivial for the regular user. I know Postfix would effective use unauth >TLS, but it still is a theoretical attack vector and worrisome. > >I mean, I‘ll note this behavior and recommend manually setting >smtp_tls_dane_insecure_mx_policy to dane in the README of postfix-tlspol, but >I have to consider the unusual (even broken) setups and worst-cases. > >Kind regards > Ömer > >> Am 09.02.2025 um 03:40 schrieb Viktor Dukhovni via Postfix-users >> <postfix-users@postfix.org>: >> >> On Sun, Feb 09, 2025 at 03:00:22AM +0100, Ömer Güven wrote: >> >>> How did I misunderstand the settings if Wietse said that >>> smtp_tls_dane_insecure_mx_policy only defaults to dane, when the >>> smtp_tls_security_level variable is set to dane, else it defaults to >>> may, regardless of the security level returned by >>> smtp_tls_policy_maps? >> >> It makes little sense to enable opportunistic "dane" only for a select >> few destinations. If it is generally disabled, the best-effort DANE for >> some, but not necessarily all MX hosts, and not necessarily the right >> ones, isn't worth it. The parameter is not "useless" when based on the >> global setting, rather than per-destination setting. >> >> I am not opposed to starting with the per-destination setting, but that >> requires new code, which is not clearly justified. >> >> -- >> Viktor. >> _______________________________________________ >> Postfix-users mailing list -- postfix-users@postfix.org >> To unsubscribe send an email to postfix-users-le...@postfix.org akritrim® Intelligence™ _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
