[exim] TLSA Security vs SSL/TLS security

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mark Elkins
Date:  
À: exim-users
Sujet: [exim] TLSA Security vs SSL/TLS security
I'm looking for some answers/clarification to various advantages of DANE
vs normal MTA security and opportunistic TLS....

I'm only talking about MTA - Mail Transport Agents, software that
transfers e-mail from one Mail Agent to another - eg exim, postfix - etc.

I know Viktor (amongst others) lurks here....

Without DANE/TLSA records.

                 -------------------


(1) When two Mail Servers talk and discover (opportunistically) that
they can both talk SSL/TLS, does the Sender ever check the Receivers
Certificate to make sure that Primary or Alternative names match the
Receiving Server it is trying to connect to?

i.e. a Man-in-the-middle attack could also be using SSL/TLS Certificates
(from anywhere), copy the email, then forward it on. I always told this
part of the story with the Man-in-the-middle forcing the conversation to
clear text.

(In DANE, the DNS/Mail/Security manager basically circumvents this need
by putting in matching TLSA in the (DNSSEC signed) DNS along with the
appropriate SSL/TLS Certificate in the Mail Servers config.)

                 -------------------


(2) If I listen on port 465, should I also have a TLSA record for that
port as well? e.g.

_465._tcp.mail.mydomain.tld. IN TLSA 3 1 1 2A1492F9....

                 -------------------


(3) What makes a Sending mail server ever connect to port 465 of a
receiving mail server, except the obvious of some sort of static
configuration?

                 -------------------


With DANE:

(4) When running an ISP environment, single Mail Server with its own
SSL/TLS Certificate, lots of virtual users with their own (Other)
Domains, the Main Mail server has (I would think) just one SSL/TLS
Certificate - presumable matching "mail.myisp.tld". Matching TLSA in the
(secured) DNS. No problem for "DANE" styled e-mail to be sent to
"user@???".

The many Other Domains can have a CNAME "mail.myname.tld" that points to
"mail.myisp.tld".

Do the Other Domains have to be DNSSEC Signed? Ideally - I'd get
everything signed. Will this work "DANE" style though if the hundreds of
virtual domains don't have DNSSEC?

I personally think it _should_ work - but don't know. (Have not yet got
Exim to speak DANE, or found the HowTo which describes this).




-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za