[pfx] Re: [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Sun, 09 Feb 2025 07:54:06 -0800 

Please consider this example:

tum.de is dane-only
mri.tum.de is dane (because they didn‘t sign the MX record, but the MX is 
virtually the same signed DANE-supporting SMTP server)

The Postfix config looks like this:

smtp_dns_support_level = dnssec
smtp_tls_security_level = may
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERY

Mails sent to postmas...@tum.de are sent via DANE, and mails to 
postmas...@mri.tum.de are sent via unauthenticated TLS, despite opportunistic 
DANE available and returned via the policy map server.

So setting
smtp_tls_dane_insecure_mx_policy = dane
irrespective of smtp_tls_security_level would avoid this WTF moment.

Best,
  Ömer

> Am 09.02.2025 um 16:45 schrieb Viktor Dukhovni via Postfix-users 
> <postfix-users@postfix.org>:
> 
> On Sun, Feb 09, 2025 at 04:35:03PM +0100, Ömer Güven via Postfix-users wrote:
> 
>> I can only endorse this. Simply setting it to „dane“ should solve the
>> hassle and make the operation more consistent and predictable.
> 
> The whole thing is a misunderstanding.  The insecure MX setting is only
> ever used iff the initial policy for the destiantion was dane, but the
> MX host turned out insecure.  So the global default should indeed not
> be conditioned on the default security level, which is irrelevant.
> 
> Only the initial (before MX lookup) TLS security level for the
> destination determines whether this setting is in scope.
> 
> If you enable "dane" as a default, you also get "half-dane" for the
> insecure MX hosts.  If the default is "may" it is naturally "may"
> also for the insecure MX hosts.
> 
> If a policy table returns (opportunistic) "dane" for a site, then the
> insecure MX host behave per the insecure MX setting, so the change to
> make it dependent on the global default should be reverted.  And all
> will be well.  It was correct initially.
> 
> --
>    Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to