[exim-cvs] Docs: update info on MTA-STS. Bug 3091

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] Docs: update info on MTA-STS. Bug 3091
Gitweb: https://git.exim.org/exim.git/commitdiff/2159057b255a1bc6d870ebddef858ee2b47d331d
Commit:     2159057b255a1bc6d870ebddef858ee2b47d331d
Parent:     586d7aa579e3038e63c51669dce2cb0677f335e3
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Apr 17 13:36:17 2024 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Wed Apr 17 13:36:17 2024 +0100


    Docs: update info on MTA-STS.  Bug 3091
---
 doc/doc-docbook/spec.xfpt | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 8164dcd74..182e5644c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -30542,12 +30542,17 @@ Section 4.3 of that document.
.subsection General
Under GnuTLS, DANE is only supported from version 3.0.0 onwards.

-DANE is specified in published RFCs and decouples certificate authority trust
+DANE is specified in RFC 6698. It decouples certificate authority trust
selection from a "race to the bottom" of "you must trust everything for mail
to get through".
-There is an alternative technology called MTA-STS, which
-instead publishes MX trust anchor information on an HTTPS website. At the
-time this text was last updated, MTA-STS was still a draft, not yet an RFC.
+It does retain the need to trust the assurances provided by the DNSSEC tree.
+
+There is an alternative technology called MTA-STS (RFC 8461), which
+instead publishes MX trust anchor information on an HTTPS website.
+The discovery of the address for that website does not (per standard)
+require DNSSEC, and could be regarded as being less secure than DANE
+as a result.
+
Exim has no support for MTA-STS as a client, but Exim mail server operators
can choose to publish information describing their TLS configuration using
MTA-STS to let those clients who do use that protocol derive trust

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/