"MG" == Martijn Grooten <ietf-smtp(_at_)lapsedordinary(_dot_)net> writes:
MG> Secondly, I don't think the proposal includes a way to authenticate
MG> the receiving server.
DANE provides that.
The draft which suggests how to use DANE with SMTP suggests that TLS
MUST be used, and the server's offerred cert verified, whenever the path
to the MX is dnssec-verified and a TLSA record exists for the smtp server.
Of course, that would not protect against an attacker which can remove
the DS record from the parent zone (not just block it, but also provide
proof of non-existence). But nothing really can protect against those
who control the parent zone(s).
James Cloos <cloos(_at_)jhcloos(_dot_)com> OpenPGP: 1024D/ED7DAEA6
ietf-smtp mailing list