[exim-dev] [Bug 2266] TLS SNI should default set

Pàgina inicial
Delete this message
Reply to this message
Autor: admin
Data:  
A: exim-dev
Assumpte: [exim-dev] [Bug 2266] TLS SNI should default set
https://bugs.exim.org/show_bug.cgi?id=2266

--- Comment #3 from Phil Pennock <pdp@???> ---
(In reply to jasen Betts from comment #2)
> Why use '$domain' (domain of the rcpt(s) may be empty, will usually be wrong
> for delivery via smarthost)
> instead of '$host' (domain of the MX, A, or smarthost)?


Because unless you have DNSSEC, $host is derived via insecure means, the DNS.
DNSSEC means that DNS becomes secure for our purposes.

If you have DNSSEC and want $host sent, then publish TLSA records to enable
DANE, and the other tracking bug will cover our fixing Exim to honor those for
selecting the SNI value to send.

There is never any point in setting TLS SNI to a value which you are not
willing to validate as being correct, referring back to a trusted path of
input. If some people run self-signed without SNI but CA-signed with SNI, then
that's a bug, but for MTAs delivering to MX it makes no difference because by
default MX TLS *IS NOT VALIDATED*.

So, no DNSSEC, need a value, needs to be tied back to the recipient in a
trustworthy way, thus $domain is all we have to go on.

It's not good. It's simply the least bad option available.

--
You are receiving this mail because:
You are on the CC list for the bug.