[exim] Re: MTA-STS with reporting support (RFC 8460)

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Matt Corallo
Data:  
Para: Patrick Cernko, exim-users
Temas antigos: [exim] MTA-STS with reporting support (RFC 8460)
Asunto: [exim] Re: MTA-STS with reporting support (RFC 8460)


On 5/17/23 1:04 AM, Patrick Cernko via Exim-users wrote:
> Hi list,
>
> I just wanted to publish my forked version of Jeff Forsyth's MTASTS-EXIM-PERL solution. In addition
> to some fixes, it also provides a reporting tool for TLSRPT reports (RFC 8460). Reporting is done by
> analyzing the database created by the Perl hooks and the Exim log files.
>
> https://gitlab.mpi-klsb.mpg.de/pcernko/MTASTS-EXIM-PERL


Taking a glance at the Mail::STS library that this seems to use, I'm skeptical this properly
implements DANE fallback.

It looks like it will return a DANE-enforcement policy if the "primary" MX (which seems to just be
the first - I assume it sorts by priority but its entirely unclear to me) has a TLSA record. This
ignores whether the TLSA record has a type that exim can/will enforce, ignores whether any secondary
MX's have TLSA records, and seems to even ignore whether the TLSA record is properly DNSSEC-signed
(though my perl-readability is pretty poor).

This can cause delivery failure for any number of reasons if the dane-enforcement flag returned
doesn't match exim's ability to enforce DANE.

Because of the complexity of exactly matching exim's DANE policy, its almost certainly better to
avoid MTA-STS unless your MTA has native support for it (which no popular ones do - its a rube
goldberg machine of nonsense). The postfix-mta-sts package has even worse behavior than this.

MTA-STS is mostly a google thing anyway, just set your tls_enforce to *.gmail/google and let DANE
take care of the rest :)

Matt

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/