> On Mar 20, 2018, at 11:34 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> 3) duplicate some TLSA logic in the tlsproxy daemon, if it can't
> be factored out into a reusable library.
It is probably time to refactor the original Postfix 2.11 DANE internals
to look a lot more like the new DANE API in OpenSSL 1.1.0, which should
serialize a bit more easily.
One complication is that we often have more than one smtp(8) delivery
agent in master.cf, and different delivery agent instances may have
different settings for smtp_tls_CAfile and smtp_tls_CApath, different
cipher requirements, .... And yet I don't think we'd want a separate
per-agent-instance proxy.
This probably means that the proxy needs a set of SSL_CTX contexts,
on a per-service basis, with each context configured with the settings
that would have been applied by the delivery agent itself in prior
versions of Postfix.
With authenticated TLS (level > encrypt), re-use based on MX-host
IP address, rather than destination domain looks difficult, TLS
policy is by name, not by IP and peer matching uses destination-
specific patterns on the subject altnames or various fingerprints.
I expect obstacles ensuring that the peer authentication criteria
apply and would tempted to forego IP-based re-use with authenticated
TLS. If the policy is "may" or "encrypt" then of course IP-based
reuse would be viable.
--
Viktor.
