Re: [exim] TLSA Security vs SSL/TLS security

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLSA Security vs SSL/TLS security
On Sun, Sep 04, 2016 at 10:17:39PM +0100, Jeremy Harris wrote:

> On 04/09/16 20:44, Viktor Dukhovni wrote:
> > On Sep 3, 2016, at 10:22 AM, Jeremy Harris <jgh@???> wrote:
> >> If you do SRV lookups (via the dnslookup router check_srv option)
> >> you'll get the port given by that.
> >
> > I am not aware of any RFC that specifies that MTAs should use SRV
> > records to locate the nexthop SMTP server when such SRV records are
> > present.
>
> Careful wording there, with "should" :)


I guess my point is that it would be helpful to warn MTA operators
to avoi the check_srv option in routers that determine the nexthop
relay based on the recipient domain (relay MTAs), and only use it
when the nexthop relay is fixed (SOHO submission client MTA).

Indeed, I would strongly urge that you go further, and make the
"check_srv" option disable MX lookup. Any one router should do
one or the other, but not both.

The reason is that MX records specify a domain's inbound MTAs,
while "_smtp" SRV records specify a domain's outbound MSAs. It is
never right to conflate the two.

If "check_srv" were to disable MX lookups, users who accidentally
turn it on for relay flows, would quickly discover their error,
rather than get confused by sporadic failures for a minority of
domains.

In any case, I think the documentation could explain the disparate
use-cases more clearly.

-- 
    Viktor.