On Tue, Jun 23, 2015 at 03:19:04PM -0400, James B. Byrne wrote:
> >> smtp_tls_security_level = dane
> >
> > Not useful without:
> >
> > smtp_dns_support_level = dnssec
> >
> > and "127.0.0.1" as the only "nameserver" entry in /etc/resolv.conf
> > and a validating resolver running on 127.0.0.1. Otherwise, use
> > "may", not "dane".
>
> All MX and delivery hosts have a named instance running on them. Only
> our internal DNS servers are listed in /etc/resolv.conf on any host.
> 127.0.0.1 is the first entry in resolv.conf for hosts running a named
> instance. I do not understand why that should be the only entry
> however.
DANE is supposed to protect against man-in-the-middle (MiTM) attacks.
If your DNS queries are over an insecure channel (go off host),
then the security status of the replies cannot be trusted, and
there's not much point in doing DANE (unless you expect all the
attackers to be remote, beyond the nameservers you use, and never
between the host and its iterative nameserver. That's a rather
risky assumption.
> >> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> >
> > Often can be left empty instead. Why load a pile of certificates
> > you don't use. If you must a pile of certificates, use CApath,
> > not CAfile.
>
> Why is this so? What is the effect of leaving it empty?
No TLS peers are verified via the certificates that would otherwise
be loaded. But you're doing any verification anyway. DANE does
not need or use a CAfile or CApath.
--
Viktor.
