On 04/27/2016 01:19 AM, Alice Wonder wrote:> On 04/27/2016 01:06 AM, Brandon Vincent wrote:
>> On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder <alice at
domblogger.net>
>> wrote:
>>> Not with a smtp that enforces DANE.
>>
>> I'm aware of how DANE works.
>>
>> The only problem is no MTA outside of Postfix implements it.
>>
>> You can thank the hatred of DNSSEC for that.
>>
>
> I never understood the hatred for DNSSEC.
>
> When I first read about it, it was like a beautiful epiphany.
>
> But DNSSEC adoption is increasing. I keep seeing the green DNSSEC icon
> in my browser more and more often, when I first started using it was rare.
>
> But the point is, other mail servers may not have implemented yet but
> Postfix has implemented it, and the stock version in RHEL / CentOS is
> too old. Barely too old, but too old.
>
> Thus better security it achieved by running a newer version.
>
> Especially since adoption is in fact increasing.
comcast is a major ISP that publishes TLSA records for their MX servers.
It appears the TLSA records for IPv6 are broken but I was told that was
intentional, they can tell what mail servers don't enforce DANE by which
ones continue to connect to IPv6 anyway.
The IPv4 records are good and valid.
So when any of my mail servers send e-mail to users at a comcast
address, it is extremely unlikely there a MITM would be successful.
But only because I updated the postfix from stock.