On Mon, Jul 27, 2020 at 09:46:10AM +0200, Tomas Korbar wrote:
> Hi guys,
> I would like to start a discussion about support for SRV records, mainly
> record for submission service of a domain.
> As is stated in [0], domain can publish dns record, which tells services
> where the submission service of this domain is.
> This could be used for auto configuration of postfixs relayhost option.
> I used this patch [1] to make postfix 3.5.4 support resolving of this:
> "relayhost = [_submission._tcp.$mydomain]:587"
> as a valid host for submission of mail in my domain. This will allow users
> to automate their configurations a little more.
> I would like to know your opinion and whether this could be officially
> supported.
> Thanks for any help.
>
> [0] - https://tools.ietf.org/html/rfc6186#section-3
> [1] - https://tkorbar.fedorapeople.org/postfix-3.5.4-relayhost.patch
This RFC introduces a serious security issue. If you're using
password-equivalent authentication (PLAIN, LOGIN) or even bearer token
for tokens that are replayable (so perhaps also OAUTH), then you MUST
NOT trust insecurely (non-DNSSEC) SRV records to redirect you to an
unknown server.
The Postfix smtp(8) client is not an interactive user-agent that can pop
up a dialogue box to confirm the validity of the purported MSA. [And we
all know how well security-relevant user-dialogues work in any case...]
So unless you're only using client certs or CRAM or similar (the latter
stores password-equivalent secrets on the server, which is also not so
great), use of SRV records to locate the MSA has some questionable
security properties.
The MSA needs be authenticated before password-equivalent authentication
is performed.
--
Viktor.
