On Fri, Jan 07, 2022 at 07:28:32AM -0500, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Fri, Jan 07, 2022 at 11:34:32AM +0100, Charlotte 🦝 Delenk wrote: > > > I was trying to harden my postfix configuration and was looking into > > making TLS mandatory, as well as verifying the TLS Certificate using > > DANE wherever possible. > > TLS mandatory for delivery to the world at large? Or is your Postfix > only sending email to a specific set of domains known to support TLS? > > When I added DANE support to Postfix in 2013, it seemed unlikely that > there'd be a set of domains small enough to be sure that they all > support STARTTLS and yet too large to explicitly configure some for DANE > and others for mandatory TLS. > > Thus, unfortunately, when you specify "dane", in the absence of TLSA > records for the nexthop domain's MX hosts you get "may", rather than > "encrypt". > > > According to the documentation of smtp_tls_security_level, you can > > either set the value to "encrypt" for mandatory tls or "dane" for > > optional DANE, but not both. > > Correct. > > > Is there a way to combine "encrypt" with "dane"? > > Hypothetically (but not in practice) possible with given a sufficiently > programmable resolver, that reports all domains as signed (validating > those that really are), and can synthesise TLSA records for MX hosts > that lack them, with the synthetic records having an unsupported "usage" > or "selector", in which case Postfix will do mandatory TLS. > > I doubt such a resolver is easily available, and it is almost certainly > much easier to patch Postfix to support "encrypt" when "dane" is not an > option. > > -- > Viktor. When reading the documentation on smtp_tls_security_level, I thought dane-falling-back-to-encrypt seemed to be a missing option. But I thought it would never be used as a default, and for any non-default specific remote server, you're likely to know whether they do DANE or not, so you could always pick "dane" or "encrypt" for those. But it would be nice not to have to know whether a known peer has DANE or just TLS. After all, they might change their mind, start with just TLS, and then implement DANE later on. A security level that automatically upgraded from "encrypt" to "dane" when DANE becomes available seems like a good idea. Any chance of a new security level? Perhaps it could have a nice simple name like "mandatory". But I think that's what "encrypt" is meant to convey. Perhaps "encrypt" could be changed to automatically upgrade to "dane" (except that it would change existing behaviour). Something like "dane-or-encrypt" would be clear (but yuk). Would many people use it? I don't need it. It just seems like a good idea. cheers, raf
