[Top] [All Lists]

Re: [ietf-smtp] Adding a new value to the WITH protocol type subregistry

2018-07-12 19:22:06

On Jul 12, 2018, at 5:12 PM, Lyndon Nerenberg <lyndon(_at_)orthanc(_dot_)ca> 

That's because we have an L7 proxy in the way; it accepts the (TLS) 
connection, does some preliminary validation (greylisting, RBL checks, etc) 
before passing the connection through to our internal MTAs. It doesn't insert 
its own Received header, and the internal proxy->MTA hop isn't encrypted.  
The same thing happens on the Submission path, where our internal encryption 
proxies don't identify themselves via Received (for privacy reasons).

Sorry, I left out some context ...

Our internal MTAs report no TLS because the inside link is not encrypted.  This 
means incoming TLS-encrypted messages don't show that in Received.

If we were to encrypt the internal hop from the proxy to the MTA, *all* the 
messages would show as TLS-encrypted, even when they might not be.

The alternative is modifying the proxy code to insert its own Received header.  
That would add a lot of overhead to what is otherwise a very lightweight front 
end defence on our SMTP servers.  The value of having this information in 
Received is negligible, versus having it in the logs, which is where we go to 
anyway whenever anyone askes how the transaction actually played out.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>