How to fall back from `dane-only` to `secure`?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to fall back from `dane-only` to `secure`?

Paul Menzel
Dear Postfix folks,


There are several SMTP servers, where messages should only be sent over
a secure channel. But, the postmasters have set up the servers
differently. Some use CAs to sign their certificates and some DANE with
self-signed certificates.

To avoid maintaining two TLS policies, one where for
`smtp_tls_security_level` the value `secure` is specified, and another
with `dane-only` [1], and keeping an eye out, when SMTP switch to or
from DANE, is there a way to maintain one list? So if no DANE records
are published, it falls back to secure certificate verification?

Like `dane` falls back to `may`?


Kind regards,

Paul


[1] http://www.postfix.org/TLS_README.html#client_tls_policy
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to fall back from `dane-only` to `secure`?

Viktor Dukhovni
On Thu, Jul 06, 2017 at 07:37:47PM +0200, Paul Menzel wrote:

> There are several SMTP servers, where messages should only be sent over a
> secure channel. But, the postmasters have set up the servers differently.
> Some use CAs to sign their certificates and some DANE with self-signed
> certificates.
>
> To avoid maintaining two TLS policies, one where for
> `smtp_tls_security_level` the value `secure` is specified, and another with
> `dane-only` [1], and keeping an eye out, when SMTP switch to or from DANE,
> is there a way to maintain one list? So if no DANE records are published, it
> falls back to secure certificate verification?
>
> Like `dane` falls back to `may`?

Wietse and I have discussed something along these lines some time
back, but nothing of that sort has as yet been implemented.

--
        Viktor.
Loading...