On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I know that there are many side-effects and things which don't work,
but that does not mean that one can at least try?
Sorry, no half-assed solutions that work only sometimes and break
unpredictably.
Yes, the same story again. When it does not work everywhere then we don't
do it at all.
Oh yes - DNSSEC. When will it come? In hundred years?
Available today. Two of my domains are signed, the third will be
shortly. And you're complaining about people being complacent and
stuck in the past.
I don't want to have a perfection box which can't communicate with the
rest of the world, but something which helps with todays internet.
3) with a known cert
Replace "known" with "valid trust chain", and Postfix logs this as
"Trusted".
As you already pointed out "Any known cert" is nearly as meaningless as
"unchecked".
4) with a trusted cert matching the hostname
This is meaningless. The MX host is insecure. Many MX hosts have
certs that don't match their name.
And there are hosts where everything matches. Why not show it for these?
5) with a trusted cert matching the hostname + hostname == reverse DNS
This is even more meaningless.
It is an additional level of security. Only a very small bit, yes, but it
needs another thing an attacker needs to fix.
Couldn't postfix give something like a score for TLS security:
- 0% if unencrypted
- +5% when encrypted
- +5% if proper algorithm
- +5% if PFS is used
- +5% when cert is trusted
- +5% when cert also matches the MX
- ...
- 95% for DANE.
Yes, we stay below 30% for current setup, but at least you could evaluate
individual connections. What harm does it to call some checks and output
the results? They are already in the code, but only used in the perfect
environments.
I took a lot of time to figure out how to properly setup certificates
including ca chain, but actually I could have saved that time, because it
makes no difference.
I'm doing a lot in spamfiltering and there these score systems are a big
benefit.
6) DNSSEC
whatever else there is...
Postfix 2.11 supports DANE, DANE actually scales, because policy
for each domain is published by that domain. DANE removes the
panoply of ~600 widely used CAs from the picture.
If you want secure SMTP transport, direct your efforts at DNSSEC,
and then publish TLSA records for your domain.
Oh, I'll try, but I doubt I will get this done in the next 2 years.
My Registrar said today:
"Sorry, currently it is not possible to use DNSSec for domains registered
here."
But if I understand it right even if I do all perfect and hope that more
systems support that secure approach - I need to configure each system
supporting this individually by hand without any automatic aid in my own
system?
And then I need to hope that users start to use that information, because
all this work is completely useless until 100% deployed. My 100 years
guess aren't so bad I think. Very unlikely, that this approach will work.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
