Paul Menzel:
> Dear Postfix users,
>
>
> We are using
>
> smtp_tls_security_level = dane
> smtp_tls_policy_maps = hash:/project/mx/etc/tls_policy
>
> where the file `tls_policy` contains the domains of several research
> institutions to use the security level `verify` or even `secure`.
>
> All other TLS connections without DNSSEC/DANE but still a correct
> certificate setup, that could be verified, are marked as just *Trusted*,
> as documented in *What do "Anonymous", "Untrusted", etc. in Postfix
> logging mean?* [1].
Sofar, things work as promised, though not as desired. In for
non-DANE sesions, the TLS level specifies a minumum.
if you don't specify 'verify', then non-DANE sessions are not verified.
> Is there a way to have some verification level `dane-verify-log`, which
> would, for no "DANE connections", also try to verify the hostname, and log
>
> Verified TLS connection established to ...
>
> if the remote SMTP server's certificate was signed by a CA, trusted
> by the Postfix SMTP client, and the certificate name matches the
> destination or server name(s). Messages would still delivered to
> SMTP servers, where the certificate name does *not* match the
> destination or server name.
Viktor and I have been discussing a design that supports more
than just a minimum level. There may still be time to do this in
the Postfix 3.8 cycle.
But keep in mind that without 'verify' enforcement, a connection
can be downgraded to just the minimum level.
Wietse
> I think, it would be useful to extract communication partners from the
> log, where the TLS setup could be improved. Especially, as the GDPR [2]
> states [3]:
>
> > Taking into account the state of the art, the costs of implementation
> > and the nature, scope, context and purposes of processing as well as
> > the risk of varying likelihood and severity for the rights and
> > freedoms of natural persons, the controller and the processor shall
> > implement appropriate technical and organisational measures to ensure
> > a level of security appropriate to the risk, including inter alia as
> > appropriate:
>
> [...]
>
> > (b) the ability to ensure the ongoing confidentiality, integrity,
> > availability and resilience of processing systems and services;
> [...]
>
> So, as end-to-end encryption is not adopted, not verifying the hostname
> of the SMTP server might be a violation. (Best would be, if everybody
> would be required to use DNSSEC/DANE, but people might argue it's *Stand
> von Wissenschaft und Technik*, though at least in Germany, where United
> Media (Web.de, GMX), mailbox.org, and Posteo use DNSSEC/DANE, at least I
> would disagree, and call it state of the art.)
>
>
> Kind regards,
>
> Paul
>
>
> [1]: https://www.postfix.org/FORWARD_SECRECY_README.html#status
> [2]: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
> [3]: https://gdpr-info.eu/art-32-gdpr/
>
