Author: Jeremy Harris Date: 2016-09-03 14:22 -000 To: exim-users Subject: Re: [exim] TLSA Security vs SSL/TLS security
On 10/08/16 16:10, Viktor Dukhovni wrote: > On Wed, Aug 10, 2016 at 04:20:01PM +0200, Mark Elkins wrote:
>> (2) If I listen on port 465, should I also have a TLSA record for that
>> port as well? e.g.
>>
>> _465._tcp.mail.mydomain.tld. IN TLSA 3 1 1 2A1492F9....
>
> I am not aware of any MUAs that would look for such a TLSA record.
> When/if such MUAs show up, the TLSA record would be useful.
Not a MUA, but Exim will, if it has connected to 465 (more generally,
whatever port it connected to will be used for a TLSA lookup key).
If you do SRV lookups (via the dnslookup router check_srv option)
you'll get the port given by that. Alternatively, use of ports other
than default can be set in manualroute routing rules or by using
the smtp transport port option.
However, we won't expect to have to use ssl-on-connect just because
the port number is 443. I think I saw a proposal to add a "smtps"
service-name for SRV; we might consider extending Exim's SRV
support to also look for that, and set the transport protocol
accordingly.
The default port for the smtp transport becomes "smtps" if the
protocol option is set to smtps.
Anyway... if you're expecting MTAs to talk to you on 465, which
few people do, such a TLSA record would be a good move.
The MUA case is a bit more likely.
--
Cheers,
Jeremy