On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk St?cker wrote:
> >SMTP is not HTTP. Due to MX indirection, peer authentication is
> >not possible without explicit per-destination configuration. Once
> >you've gone to all that trouble, you may as well configure a "secure"
> >channel.
>
> I know that there are many side-effects and things which don't work,
> but that does not mean that one can at least try?
Sorry, no half-assed solutions that work only sometimes and break
unpredictably.
> Oh yes - DNSSEC. When will it come? In hundred years?
Available today. Two of my domains are signed, the third will be
shortly. And you're complaining about people being complacent and
stuck in the past.
> Can't postfix simply try to detect what level of trust is possible
> and report that?
Without DNSSEC or explicit per-destination peer name match settings, no.
> 1) unencrypted
> 2) encrypted
Postfix already reports these.
> 3) with a known cert
Replace "known" with "valid trust chain", and Postfix logs this as
"Trusted".
> 4) with a trusted cert matching the hostname
This is meaningless. The MX host is insecure. Many MX hosts have
certs that don't match their name.
> 5) with a trusted cert matching the hostname + hostname == reverse DNS
This is even more meaningless.
> 6) DNSSEC
> whatever else there is...
Postfix 2.11 supports DANE, DANE actually scales, because policy
for each domain is published by that domain. DANE removes the
panoply of ~600 widely used CAs from the picture.
If you want secure SMTP transport, direct your efforts at DNSSEC,
and then publish TLSA records for your domain.
--
Viktor.
