On Sat, 02 Aug 2014, Viktor Dukhovni wrote:
> > } Aug 1 09:59:59 s_local@eugeni postfix/smtp[22481]: Untrusted TLS
> > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with
> > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> For what recipient domains. You need to find the immediately subsequent
>
> postfix/smtp[22481]: <queue-id>: to=<...>, relay=..., dsn=...
>
> log entry to determine which domain's mail was routed to posteo.de's
> MX host.
Right, that explains it, thanks:
The untrusted instances I looked at came from a whole mix of posteo.$TLD
(for TLD in is, ru, net), none of which are secure. Delivering to a
posteo.de recipient yielded the verified connects.
> > If having one nameserver return SERVFAIL can induce this behavior, then this
> > seems like a potential downgrading vector that could be abused.
>
> Correlation does not imply causation. A false premise, yields false
> conclusion.
Good thing it was guarded with a conditional :)
Cheers,
Peter
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
