How to fall back from `dane-only` to `secure`?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to fall back from `dane-only` to `secure`?

Paul Menzel
Dear Postfix folks,


There are several SMTP servers, where messages should only be sent over
a secure channel. But, the postmasters have set up the servers
differently. Some use CAs to sign their certificates and some DANE with
self-signed certificates.

To avoid maintaining two TLS policies, one where for
`smtp_tls_security_level` the value `secure` is specified, and another
with `dane-only` [1], and keeping an eye out, when SMTP switch to or
from DANE, is there a way to maintain one list? So if no DANE records
are published, it falls back to secure certificate verification?

Like `dane` falls back to `may`?


Kind regards,

Paul


[1] http://www.postfix.org/TLS_README.html#client_tls_policy
Reply | Threaded
Open this post in threaded view
|

Re: How to fall back from `dane-only` to `secure`?

Viktor Dukhovni
On Thu, Jul 06, 2017 at 07:37:47PM +0200, Paul Menzel wrote:

> There are several SMTP servers, where messages should only be sent over a
> secure channel. But, the postmasters have set up the servers differently.
> Some use CAs to sign their certificates and some DANE with self-signed
> certificates.
>
> To avoid maintaining two TLS policies, one where for
> `smtp_tls_security_level` the value `secure` is specified, and another with
> `dane-only` [1], and keeping an eye out, when SMTP switch to or from DANE,
> is there a way to maintain one list? So if no DANE records are published, it
> falls back to secure certificate verification?
>
> Like `dane` falls back to `may`?

Wietse and I have discussed something along these lines some time
back, but nothing of that sort has as yet been implemented.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: How to fall back from `dane-only` to `secure`?

Paul Menzel
Dear Viktor,


On 07/06/17 20:11, Viktor Dukhovni wrote:

> On Thu, Jul 06, 2017 at 07:37:47PM +0200, Paul Menzel wrote:
>
>> There are several SMTP servers, where messages should only be sent over a
>> secure channel. But, the postmasters have set up the servers differently.
>> Some use CAs to sign their certificates and some DANE with self-signed
>> certificates.
>>
>> To avoid maintaining two TLS policies, one where for
>> `smtp_tls_security_level` the value `secure` is specified, and another with
>> `dane-only` [1], and keeping an eye out, when SMTP switch to or from DANE,
>> is there a way to maintain one list? So if no DANE records are published, it
>> falls back to secure certificate verification?
>>
>> Like `dane` falls back to `may`?
>
> Wietse and I have discussed something along these lines some time
> back, but nothing of that sort has as yet been implemented.

Would paying for the work speed up the implementation? If yes, who could
be contracted for that work?


Kind regards,

Paul