Re: [exim-dev] [hs@schlittermann.de: Re: DANE]

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [hs@schlittermann.de: Re: DANE]
On Thu, May 08, 2014 at 05:24:30PM +0200, Heiko Schlittermann wrote:

> I fully agree.
> I'm thinking of something about that way (not sure, if I
> got the ${acl{}} feature right?
>
>     begin acl

>
>         acl_check_dane:
>             accept verify = dane
>             deny

>
>
>     begin transports

>
>         remote_smtps:
>             driver = smtp
>             hosts_require_tls = *
>             tls_continue = ${acl{acl_check_dane}}

>
> This give the user the power to implement whatever he wants
> as the condition.


There is nothing here that tells the engine to do DANE in the first
place, or that assumed to already be in place?

The SMTP "driver" would have to have performed DNSSEC validated MX
lookups, sent the MX hostname in SNI, and made sure to disable
anonymous cipher-suites, before this check is invoked. Is there
separate configuration to "condition" the connection for later
DANE checks?

The check looks too easy to omit. What's wrong with simpler driver
configuration parameters rather than a "tls_continue" hook?

Perhaps configuration through code fragments is simply the Exim
way? Is that always better? Sometimes Turing-complete mechanisms
get out of hand. They are nice to have, but perhaps should only
be a fallback when more direct mechanisms are insufficient.

-- 
    Viktor.