Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certi…

Pàgina inicial
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
A: exim-dev
Assumpte: Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
Viktor Dukhovni via Exim-dev <exim-dev@???> (So 14 Mär 2021 14:33:21 CET):
> For the record, the expectation is:
>
>  - Absent DANE TLSA records, the literal MX hostname, which is
>    of course insecurely obtained from MX records, so validation
>    is mostly an exercise in futility.  It would only mean something
>    if MTA-STS were implemented, but Exim does not MTA-STS last I
>    heard.


If the next hop's hostname comes from insecure DNS, you're right. If the
next hop's hostname is hard-wired into the configuration (as typically
found in "use-a-smarthost" setups), I believe, it's useful to check the
next hop's certificate prior sending credentials or other private data.

--
Heiko