CentOS - Apr 2016 - Apache/PHP Installation - opinions

On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder <alice at domblogger.net>
wrote:
> That is the only reliable way to avoid MITM with SMTP.
Except I can just strip STARTTLS and most MTAs will continue to connect.

Brandon Vincent

On 04/27/2016 12:59 AM, Brandon Vincent wrote:
> On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder <alice at
domblogger.net> wrote:
>> That is the only reliable way to avoid MITM with SMTP.
>
> Except I can just strip STARTTLS and most MTAs will continue to connect.
>
No you can't.

Not with a smtp that enforces DANE.

If my postfix sees that your SMTP publishes a DANE record then it will 
refuse to connect unless it is a secure connection with a certificate 
that matches the fingerprint in the TLSA record.

See RFC 7672

But the postfix in RHEL / CentOS 7 does not support that.

On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder <alice at domblogger.net>
wrote:
> Not with a smtp that enforces DANE.
I'm aware of how DANE works.

The only problem is no MTA outside of Postfix implements it.

You can thank the hatred of DNSSEC for that.

Brandon Vincent