On 10/08/16 15:20, Mark Elkins wrote:
> Without DANE/TLSA records.
>
> -------------------
>
> (1) When two Mail Servers talk and discover (opportunistically) that
> they can both talk SSL/TLS, does the Sender ever check the Receivers
> Certificate to make sure that Primary or Alternative names match the
> Receiving Server it is trying to connect to?
It's up to it to do so. In Exim, you have to ask for that -
tls_verify_hosts and tls_verify_cert_hostnames on the smtp transport.
> (3) What makes a Sending mail server ever connect to port 465 of a
> receiving mail server, except the obvious of some sort of static
> configuration?
Exim can be pretty dynamic... but that's not really what you're
asking for.
There's a little-used DNS record type called "SRV" that can help.
See, eg, the wikipedia description.
In Exim, see the check_srv option on the dnslookup router.
> -------------------
>
> With DANE:
[...]
> I personally think it _should_ work - but don't know. (Have not yet got
> Exim to speak DANE, or found the HowTo which describes this).
See the experimental-spec.txt file. You have to deliberately compile
with DANE support, and with OpenSSL. There's no GnuTLS support yet
(hence the lack of it in the mainline).
--
Cheers,
Jeremy
