Re: [exim-dev] [Bug 2266] New: TLS SNI should default set

Top Page
This message is part of the following thread:
M+++\the complete thread tree sorted by date
MMMMMadmin at <-
.M.MJeremy Harris at ->
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: admin--- via Exim-dev
Subject: Re: [exim-dev] [Bug 2266] New: TLS SNI should default set


> On Apr 17, 2018, at 4:17 PM, admin--- via Exim-dev <exim-dev@???> wrote:
>
> Handling for DANE should be in issue 2265. DANE should stop using the tls_sni
> SMTP Transport option and DANE handling is not in-scope for _this_ tracking
> bug.
>
> IMO tls_sni should default to $domain, which requires disabling multi_domain by
> default.

Not sure what you mean by "$domain", but the DANE SNI *must* be the TLSA
base domain, which is typically the MX hostname (but sometimes its full
CNAME expansion). It is only the nexthop domain when the domain has no
MX records (implicit MX) or an explicit MX whose name is the domain itself.

Thus for: 

    example.net. IN MX 0 smtp.example.net.
    smtp.example.net. IN A 192.0.2.1
    _25._tcp.smtp.example.net. IN TLSA 3 1 1 ...


the SNI value must be "smtp.example.net" not "example.net".
The SMTP server must not abort the handshake when it finds
no matching certificate, rather it must select some
appropriate default chain. 

-- 
    Viktor.



This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clientsRe: [exim-dev] [Bug 2264] New: DNS lookups should not chase CNAME loops->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)