Re: [exim] TLSA Security vs SSL/TLS security

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLSA Security vs SSL/TLS security

> On Sep 3, 2016, at 10:22 AM, Jeremy Harris <jgh@???> wrote:
>
> If you do SRV lookups (via the dnslookup router check_srv option)
> you'll get the port given by that.


I am not aware of any RFC that specifies that MTAs should use SRV
records to locate the nexthop SMTP server when such SRV records are
present. Rather, SRV records for smtp are specifically intended
for MUAs to find submission servers:

    https://tools.ietf.org/html/rfc6186


Therefore, Exim should not attempt to use of SRV records,
when acting as a SMTP relay. The documentation at:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_dnslookup_router.html

would ideally explain that "check_srv" is non-standard, and
is only appropriate for SOHO configurations in which Exim
is used to funnel all outbound email via an ISP's SMTP
submission server.

> Alternatively, use of ports other
> than default can be set in manualroute routing rules or by using
> the smtp transport port option.


And indeed other MTAs have similar features.

> However, we won't expect to have to use ssl-on-connect just because
> the port number is 443. I think I saw a proposal to add a "smtps"
> service-name for SRV; we might consider extending Exim's SRV
> support to also look for that, and set the transport protocol
> accordingly.


It is best in this space to stick to published standards, and
as appropriate reference them in the documentation. AFAIK,
there is at present no standard for "smtps" SRV records.

As for doing TLS first and then SMTP, rather than SMTP with
STARTTLS, that's not unreasonable, provided the user explicitly
requests support for than in the given "router" (if that's the
right term in the Exim space for what is called a "transport"
in Postfix or a "mailer" in Sendmail).

For example, the Postfix changelog (HISTORY) file contains:

20150116

        TLS wrappermode in the Postfix smtp(8) client. This introduces
        a new parameter "smtp_tls_wrappermode" (default: no). Files:
        global/mail_params.h, mantools/postlink, proto/postconf.proto,
        smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c,
        smtp/smtp_params.c, smtp/smtp_proto.c.


        TLS wrappermode in posttls-finger(1), and some DANE-related
        cleanups. This introduces a new option "-w". Viktor Dukhovni.
        Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
        tls/tls.h, tls/tls_client.c, tls/tls_fprint.c.


Thus administrators can define a "router" that talks "smtps" on any
port of their choice.

> The MUA case is a bit more likely.


This of course remains true. The bulk of "smtps" use is by legacy
MUAs that don't do STARTTLS on 587, or when the ISP only supports
"smtps" for submission.

Chris Newman has been talking about bringing back "smtps 465/tcp"
as the preferred submission interface, but I am skeptical this will
happen.

-- 
    Viktor.