Re: [exim] TLSA Security vs SSL/TLS security

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Jeremy Harris
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] TLSA Security vs SSL/TLS security
On 10/08/16 15:20, Mark Elkins wrote:
> Without DANE/TLSA records.
>
>                  -------------------

>
> (1) When two Mail Servers talk and discover (opportunistically) that
> they can both talk SSL/TLS, does the Sender ever check the Receivers
> Certificate to make sure that Primary or Alternative names match the
> Receiving Server it is trying to connect to?


It's up to it to do so. In Exim, you have to ask for that -
tls_verify_hosts and tls_verify_cert_hostnames on the smtp transport.


> (3) What makes a Sending mail server ever connect to port 465 of a
> receiving mail server, except the obvious of some sort of static
> configuration?


Exim can be pretty dynamic... but that's not really what you're
asking for.

There's a little-used DNS record type called "SRV" that can help.
See, eg, the wikipedia description.
In Exim, see the check_srv option on the dnslookup router.


>                  -------------------

>
> With DANE:

[...]
> I personally think it _should_ work - but don't know. (Have not yet got
> Exim to speak DANE, or found the HowTo which describes this).


See the experimental-spec.txt file. You have to deliberately compile
with DANE support, and with OpenSSL. There's no GnuTLS support yet
(hence the lack of it in the mainline).

--
Cheers,
Jeremy