Viktor Dukhovni:
> On Mon, Jul 27, 2020 at 09:46:10AM +0200, Tomas Korbar wrote:
>
> > Hi guys,
> > I would like to start a discussion about support for SRV records, mainly
> > record for submission service of a domain.
> > As is stated in [0], domain can publish dns record, which tells services
> > where the submission service of this domain is.
> > This could be used for auto configuration of postfixs relayhost option.
> > I used this patch [1] to make postfix 3.5.4 support resolving of this:
> > "relayhost = [_submission._tcp.$mydomain]:587"
> > as a valid host for submission of mail in my domain. This will allow users
> > to automate their configurations a little more.
> > I would like to know your opinion and whether this could be officially
> > supported.
> > Thanks for any help.
> >
> > [0] - https://tools.ietf.org/html/rfc6186#section-3
> > [1] - https://tkorbar.fedorapeople.org/postfix-3.5.4-relayhost.patch
>
> This RFC introduces a serious security issue. If you're using
> password-equivalent authentication (PLAIN, LOGIN) or even bearer token
> for tokens that are replayable (so perhaps also OAUTH), then you MUST
> NOT trust insecurely (non-DNSSEC) SRV records to redirect you to an
> unknown server.
>
> The Postfix smtp(8) client is not an interactive user-agent that can pop
> up a dialogue box to confirm the validity of the purported MSA. [And we
> all know how well security-relevant user-dialogues work in any case...]
>
> So unless you're only using client certs or CRAM or similar (the latter
> stores password-equivalent secrets on the server, which is also not so
> great), use of SRV records to locate the MSA has some questionable
> security properties.
>
> The MSA needs be authenticated before password-equivalent authentication
> is performed.
Authenticate what hostname? The SRV record is like an MX record on
steroids, there are no guarantees about what hostname to expect.
Is DNS over HTTP supposed to be the answer for that?
Wietse
