Displaying 4 results from an estimated 4 matches for "smtp_dns_support_level".
2016 Apr 27
3
Apache/PHP Installation - opinions
On 04/27/2016 12:30 AM, James Hogarth wrote:
*snip*
>
> Unless you have a very specific requirement for a very bleeding edge
> feature it's fundamentally a terrible idea to move away from the
> distribution packages in something as exposed as a webserver ...
I use to believe that.
However I no longer.
First of all, advancements in TLS happen too quickly.
The RHEL philosophy of
2016 Apr 27
0
Apache/PHP Installation - opinions
...ail to my server, they can do
a DNS query and if I have a DANE record, then they can require that that
the TLS connection they make to my SMTP server uses a certificate with a
fingerprint that matches.
That is the only reliable way to avoid MITM with SMTP.
It's easy to set up in postfix -
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
But with the postfix that comes with CentOS 7 - it is too old for that,
so Postfix with CentOS 7 will never even try to verify the TLS
certificate of the servers it connects to.
It's a stale version of postfix and people running postfix on CentOS 7
should us...
2016 Apr 27
2
Apache/PHP Installation - opinions
...query and if I have a DANE record, then they can require that
> that the TLS connection they make to my SMTP server uses a certificate
> with a fingerprint that matches.
>
> That is the only reliable way to avoid MITM with SMTP.
>
> It's easy to set up in postfix -
>
> smtp_dns_support_level = dnssec
> smtp_host_lookup = dns
>
Sounds good, but how many domain MX servers have set up these
fingerprint keys - 1%, maybe 2%, so how do you code for that? I guess
I'm thinking it uses it if available. So even if you do post it on your
DNS, how many clients out there are using DANE...
2014 Nov 16
1
UNIX perms appear ok (ACL/MAC wrong?)
...itive_feedback =
$default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_dns_resolver_options =
smtp_dns_support_level =
smtp_enforce_tls = no
smtp_extra_recipient_limit = $default_extra_recipient_limit
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_header_checks =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination...