著者: Alice Wonder 日付: To: exim-users 題目: Re: [exim] MTA-STS support?
On 2/3/19 1:36 PM, Viktor Dukhovni via Exim-users wrote: > On Thu, Jan 31, 2019 at 08:58:04PM -0800, Alice Wonder via Exim-users wrote:
>
>> One thing I am hoping is that an update to the standard will be
>> published that allows the mode (enforce or testing or none) to be
>> published in the DNS record for MTA-STS.
>>
>> When the zone is DNSSEC signed, the MX record could then be trusted and
>> there would be no need to query the https server.
>
> When the zone is DNSSEC-signed it can use DANE if its MX hosts are
> also in signed zones and have TLSA records. Even Google now has a
> few signed MX hosts in the form of mx[1234].smtp.goog . These are
> actually alternative names for the same underlying bunch of nodes
> as the unsigned names you're used to. Once they add TLSA records,
> they'll have support for inbound DANE.
>
> So I don't see a compelling case for signed domains to go with
> MTA-STS.
>
Some don't want to have coordinate certificates with fingerprints in
TLSA records, as more hosting providers provide DNSSEC just by default
when you use their DNS as well, MTA-STS may be easier than new
fingerprint from keypair every time generating new key.
And some distribution of Exim ship without DANE enabled at build-time.
Fedora, for example. Not sure why.