Matus UHLAR - fantomas:
> >Wietse Venema:
> >> Rich Felker:
> >> > > It would be a mistake to use TLSA records from an unsigned domain.
> >> > > That would be no more secure than accepting a random server
> >> > > certificate. All the pain of doing TLSA and none of the gain, just
> >> > > security theatre.
> >> >
> >> > It's not security theater. It (1) ensures that you do use records for
> >> > a signed domain even if you were unable to determine it was signed,
> >> > due to issues like lack of AD bit in musl or stripping of AD bit by
> >> > glibc default configuration, and (2) makes it so an attacker wanting
> >> > to MITM needs to be able to do so on DNS channel, not just route to
> >> > the MX. (For example this might be difficult or impossible for the
> >> > attacker if DNS is routed over DoH, or if attacker can sit somewhere
> >> > between client and MX but not between client and the nearest anycast
> >> > 8.8.8.8.)
> >>
> >> Congratulations! You just gave a new definition of security theatre:
> >> using an unauthenticated channel to distribute trust anchors. You
> >> can consider libc-musl as unsupported from now on.
>
> On 19.04.20 13:11, Wietse Venema wrote:
> >Verified on alpine-3.11.5.
> >
> >alpine:~/postfix-3.6-20200419$ make makefiles
> >...
> >Warning: libc-musl breaks DANE/TLSA security.
> >Use a glibc-based Linux distribution instead.
> >Remove this test to build unsupported Postfix.
> >make: *** [Makefile:79: makefiles] Error 1
>
> Isn't this contrary to what you have said before?
>
> https://marc.info/?l=postfix-users&m=158715103506366&w=2
> > However, if people want to shoot
> > themselves in the foot, then Postfix won't stop them.
No, in this case it is LIBC-MUSL that shoots you in the foot.
I can't allow THAT to happen.
Wietse
