On 3/5/2014 12:42 AM, Viktor Dukhovni wrote:
> On Tue, Mar 04, 2014 at 02:34:46PM +0200, s7r wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>
> http://xkcd.com/1181
>
>> I know the basics how SSL/TLS works for websites, how does it
>> work for SMTP?
>
> * Unauthenticated opportunistic TLS.
>
>> Who issues the certs?
>
> * Nobody checks the certs, except by prior bilateral agreement.
> Therefore, you're free to use self-signed certs you generate.
> Paying for SMTP certs from a public CA is a waste, unless your
> business partners want to verify your SMTP server via some CA.
>
>> If it's not a certification authority how are the certs verified
>
> * They are not verified.
>
>> how are the encryption keys exchanged in order to be sure you
>> are talking to the right end and there is no man-in-the-middle?
>
> * You get no man in the middle protection.
>
> Postfix also supports authenticated TLS:
>
> http://www.postfix.org/TLS_README.html#client_tls_levels
> http://www.postfix.org/TLS_README.html#client_tls_fprint
> http://www.postfix.org/TLS_README.html#client_tls_verify
> http://www.postfix.org/TLS_README.html#client_tls_secure
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> but all the levels other than "dane" don't scale beyond a handful
> of peer sites. The "dane" level can scale, but at this time there
> are essentially no domains that have DNSSEC sized zones with TLSA
> records for SMTP (a total ~20 domains).
>
> Exim also has various levels of TLS authentication, but the issues
> are the same, they are in the nature of Internet SMTP, not any
> particular MTA implementation.
>
> Please help grow DANE adoption by implementing DNSSEC on your
> domain and publishing TLSA records (only once you understand how to
> keep these working properly with key rotation, we want DANE to
> work reliably for all receiving domains that commit to
> authenticated TLS by publishing TLSA records). So most users
> should wait 6-12 months, by which time the standards will be better
> defined, and more deployment documentation will be available, maybe
> even an implementation in Exim. Early adopters strongly familiar
> with DNSSEC, TLS, and so on can deploy now.
>
Thank you Viktor for your complete answer. So if there is no man in
the middle protection using SMTP TLS, why is it used or recommended to
be activated?
Since the sending server has no way to verify he is actually talking
to the correct receiving server and connection could be intercepted by
a man in the middle attack, what's the use for TLS on SMTP with self
signed certs?
The TLSA with DNSSEC on the other thing sounds very good but
unfortunately i am not aware how DNSSEC functions and how I can
activate it I googled few months ago for a nice tutorial with
explanation but couldn't find one.
--
s7r@???
PGP Public key:
http://www.sky-ip.org/s7r@sky-ip.org.asc
