search for: smtp_dns_support_level

On 04/27/2016 12:30 AM, James Hogarth wrote: *snip* > > Unless you have a very specific requirement for a very bleeding edge > feature it's fundamentally a terrible idea to move away from the > distribution packages in something as exposed as a webserver ... I use to believe that. However I no longer. First of all, advancements in TLS happen too quickly. The RHEL philosophy of

...ail to my server, they can do a DNS query and if I have a DANE record, then they can require that that the TLS connection they make to my SMTP server uses a certificate with a fingerprint that matches. That is the only reliable way to avoid MITM with SMTP. It's easy to set up in postfix - smtp_dns_support_level = dnssec smtp_host_lookup = dns But with the postfix that comes with CentOS 7 - it is too old for that, so Postfix with CentOS 7 will never even try to verify the TLS certificate of the servers it connects to. It's a stale version of postfix and people running postfix on CentOS 7 should us...

...query and if I have a DANE record, then they can require that > that the TLS connection they make to my SMTP server uses a certificate > with a fingerprint that matches. > > That is the only reliable way to avoid MITM with SMTP. > > It's easy to set up in postfix - > > smtp_dns_support_level = dnssec > smtp_host_lookup = dns > Sounds good, but how many domain MX servers have set up these fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it uses it if available. So even if you do post it on your DNS, how many clients out there are using DANE...

...itive_feedback = $default_destination_concurrency_positive_feedback smtp_destination_rate_delay = $default_destination_rate_delay smtp_destination_recipient_limit = $default_destination_recipient_limit smtp_discard_ehlo_keyword_address_maps = smtp_discard_ehlo_keywords = smtp_dns_resolver_options = smtp_dns_support_level = smtp_enforce_tls = no smtp_extra_recipient_limit = $default_extra_recipient_limit smtp_fallback_relay = $fallback_relay smtp_generic_maps = smtp_header_checks = smtp_helo_name = $myhostname smtp_helo_timeout = 300s smtp_host_lookup = dns smtp_initial_destination_concurrency = $initial_destination...