Re: [exim] MTA-STS and Server Name Indication (SNI) on mail …

Top Pagina
Delete this message
Reply to this message
Auteur: Phil Pennock
Datum:  
Aan: John R. Levine
CC: exim-users
Onderwerp: Re: [exim] MTA-STS and Server Name Indication (SNI) on mail servers
On 2020-06-17 at 15:34 -0400, John R. Levine via Exim-users wrote:
> For example, here's where you can find the MTA-STS for my iecc.com:
>
> https://mta-sts.iecc.com/.well-known/mta-sts.txt


My stance on MTA-STS is that it's reasonable to advertise to get the big
players talking to you, but it's a spiralling trap of trust-stores with
the same social failure mode which caused TLSA Usages 0 and 1 to be
rejected for use in SMTP (or really any federated service). So I've
spoken out against implementing MTA-STS as a client, but at the same
time documented for folks how to implement it so that others (gorillas)
can use it.

Which is why:
<https://mta-sts.exim.org/.well-known/mta-sts.txt>
works. Originally purely so that mail from Gmail would be secured.
(Originally setup, perhaps for the JSON variant (I forget), in 2017)

I thought we at least had a wiki page on it. We don't. It's really
nothing specific to Exim though, since it's just static data publication
and entirely outside Exim's remit.

> Looking at the mail logs for my servers, it's pretty clear that Exim doesn't
> send SNI.


Exim sends SNI if it has a reasonable value to send. In the absence of
DNSSEC, there's nothing reasonable to default to. We have an old branch
(from 2018) where I made it default to the mail-domain if not otherwise
set, because TLS1.3 mandates SNI. Looks like that was a "how about this
idea" proposal and we didn't go with it.

I keep mentally thinking that we're setting this automatically when DANE
is in play but it looks like we never got around to that. Ah, I stopped
relying on fallible memory and filed a bug about it:
<https://bugs.exim.org/show_bug.cgi?id=2265>
and we paused on "if we flat-out ignore the configured value for DANE,
we lose flexibility" ... but I suspect we should go ahead and flat-out
ignore it, as we do for several other TLS options once DANE is in play.

So at present, "reasonable value" still means statically configured.

> doesn't have any way to select a certificate using SNI. This is not hard to
> fix; I added SNI support to the mailfront SMTP daemon in a couple of hours.


Exim has supported using the inbound TLS SNI value in the expansion
controls for choosing keys and certs, etc, since I added support for
Exim 4.80 (change PP/17) in 2012. With both OpenSSL and GnuTLS crypto
libraries.

The concept index at:
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-concept_index.html>
links to the various places in the documentation which describe our SNI
behavior.

Most pertinently:
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni>


-Phil