Dear Postfix users,
We are using
smtp_tls_security_level = dane
smtp_tls_policy_maps = hash:/project/mx/etc/tls_policy
where the file `tls_policy` contains the domains of several research
institutions to use the security level `verify` or even `secure`.
All other TLS connections without DNSSEC/DANE but still a correct
certificate setup, that could be verified, are marked as just *Trusted*,
as documented in *What do "Anonymous", "Untrusted", etc. in Postfix
logging mean?* [1].
Is there a way to have some verification level `dane-verify-log`, which
would, for no “DANE connections”, also try to verify the hostname, and log
Verified TLS connection established to …
if the remote SMTP server’s certificate was signed by a CA, trusted by
the Postfix SMTP client, and the certificate name matches the
destination or server name(s). Messages would still delivered to SMTP
servers, where the certificate name does *not* match the destination or
server name.
I think, it would be useful to extract communication partners from the
log, where the TLS setup could be improved. Especially, as the GDPR [2]
states [3]:
Taking into account the state of the art, the costs of implementation
and the nature, scope, context and purposes of processing as well as
the risk of varying likelihood and severity for the rights and
freedoms of natural persons, the controller and the processor shall
implement appropriate technical and organisational measures to ensure
a level of security appropriate to the risk, including inter alia as
appropriate:
[…]
(b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
[…]
So, as end-to-end encryption is not adopted, not verifying the hostname
of the SMTP server might be a violation. (Best would be, if everybody
would be required to use DNSSEC/DANE, but people might argue it’s *Stand
von Wissenschaft und Technik*, though at least in Germany, where United
Media (Web.de, GMX), mailbox.org, and Posteo use DNSSEC/DANE, at least I
would disagree, and call it state of the art.)
Kind regards,
Paul
[1]: https://www.postfix.org/FORWARD_SECRECY_README.html#status
[2]: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
[3]: https://gdpr-info.eu/art-32-gdpr/
