On Mon, Feb 24, 2014 at 10:15:48PM +0100, Dirk St?cker wrote:
> >You're asking for a verification status that would indicate
> >conditional MITM protection:
> >
> > - False negative: MITM protection is illusory when the MX
> > hostname is compromised through DNS record forgery.
> >
> > - False positive: No claim of MITM protection when the MX
> > host's certificate does not match what was expected, even
> > though it is the right MX host.
> >
> > - False negative: Your root CA list contains a rogue CA, or
> > an intermediate CA signed by a trusted CA is rogue.
> >
> > - False positive: Your root CA list contains too few CAs.
>
> Hmm, point 1,3,4 are already true for the current output.
Actually, no. By default Postfix trusts no CAs, even when these
are bundled with the system. And Postfix does not use the insecure
MX hostname by default, it uses the nexthop domain. The intent is
to log "Anonymous" or "Untrusted" for all opportunistic connections.
If you add every CA on the planet to your trusted CA list, and
expect the result to mean something for connections to any random
receiving domain, that's your business.
Only for destinations where you have explicit policy that makes
secure-channels possible, should you get "Trusted" or "Verified",
relative to your carefully selected small set of CAs.
[ No follow-ups to the above. Thanks. ]
> But I have no idea how to use the postfix tools to start a TLS
> connection to such an server without sending an email. This requires
> too much internal knowledge I fear. Last time I tried to call smtp
> tool by hand it told me not to do so and I took that advice.
/usr/sbin/sendmail -f $(id -nu) -bv 'postmas...@example.com'
or via the "posttls-finger" utility from Postfix 2.11 source tarball.
> >That will allow more cautious users to pilot DANE
> >without worrying about denial of service.
>
> This affects receiving servers with wrong configured TLSA/DNSSEC
> settings? Actually I thought that stopping mail delivery in case
> DANE is detected and defective is a very good idea.
When you first turn on DANE as a default policy, you have no way
to estimate the impact on your users in terms of deferred mail to
misconfigured sites they want to send to. Having a setting that
allows users to test-drive DANE without enforcement is probably
a good idea. I would prefer if users did not use DANE that way
indefinitely, rather it is a migration aid.
--
Viktor.
