On 14/12/2013 8:37 AM, Wietse Venema wrote:
.
Does this do anything to solve "Man in the middle" who presents an
apparently valid cert (usually generated on the fly)? Because I thought
the only way to detect this was to compare the finger print of the key
presented with the know finger print.
With at least one mode of DANE operation, the SMTP server's TLS
public-(key or certificate) fingerprint is in the TLSA DNS record.
Will that be sufficient for your purposes?
YES!
Just a thought, maybe there is a more appropriate forum/mail list to
discuss this on, as this is not strictly Postfix related?
I suggest reading the IETF mailing list and documents first.
Hear it from the horse's mouth, as it were.
Wietse
An excellent idea, particularly as you are talking to the dumbest bit of
the horse at the moment.
JohnA
