Dear Postfix-users community,
As discussed with Wes Hardaker at last IETF meeting - I'm sending also
here the brief abstract of what we figured out about this issue/idea.
So, publishing of hash of TLS certificate in TLSA and verifying it with
DANE part of the postfix mechanism works, as we tested it. During the
process we created several different "corner case" scenarios to see
where DANE verification breaks and found one, that rose my eyebrows a bit.
So, in case that we have a mail server named mx.signed-domain.tld and
_25._tcp.mx.signed-domain.tld and we direct mail (MX) to it from other
signed zones, all is good.
As long as you put MX -> mx.signed-domain.tld in unsigned-domain.tld,
DANE verification process in postfix just simply stops at the fact that
MX received cant be DNSSEC verified and the whole thing falls-back to
standard delivery process, as in - opportunistic encryption is
established and email gets delivered, usually.
Now we have two options:
- we skip DANE verification even if we could verify the end host
certificate)
- we say "I have no idea if this is the place that we are suppose to
send mail to, but hey, if we have an option to verify that this is the
place that it saying it is - let's verify it".
If we don't verify it, the whole thing falls-back to original
opportunistic mode and delivers email anyway.
Maybe this could be implemented in postfix and instead of saying
"Verified TLS connection" in log we figure out some other description.
At the end, DANE should be an endpoint verification mechanism, not
delegation verification. Well, it could also be, but I think we need to
use it in both cases.
Any thoughts?
Cheers and thnx, Jan Zorz
