[Top] [All Lists]

Re: [ietf-smtp] guidance on how to secure against sniffing and paid backdoors

2013-09-16 13:48:21
"SG" == Sabahattin Gucukoglu <listsebby(_at_)me(_dot_)com> writes:

SG> We just need a way to extend that to the whole Internet, using DNSSEC

If the recipient domain publishes TLSA RRs for its MXs, and if the MX,
address and TLSA lookups are all dnssec-verified, DANE-complient MTAs
will insist on TLS (including that the tls cert provided by the MX
matches the TLSA RR) to deliver the mail.

An example of such an mta is postfix 2.11 with the configuration:

smtp_use_tls = yes
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

That config will fall back to unverified tls or to unencrypted smtp if
necessary in the absense of dnssec or tlsa records.  But if the dns
results are bogus (per dnssec), if the tlsa does not match the offered
cert, or of anything else prevents the tls negotiation, then it will
defer delivery until it works or until the mail times out and bounces.

James Cloos <cloos(_at_)jhcloos(_dot_)com>         OpenPGP: 1024D/ED7DAEA6
ietf-smtp mailing list