On Mon, Aug 26, 2013 at 03:18:24PM -0400, Warren Kumari wrote:
> A few participants suggested that the folk running the IETF
> infrastructure monitor for $something when enabling this. AFAIR,
> $someone[0] was supposed to provide some things to monitor for?
If they implement in stages:
- The first step is to configure a suitable self-signed certificate
for the SMTP server and enable STARTTLS. Some small fraction
of SMTP connections will fail the TLS handshake. Generally the
sending system will fallback to plaintext and deliver anyway.
One can monitor the logs to identify any systems that consistently
fail to establish a TLS connection, and gather statistics on the
source IPs and frequency.
- The second step is to publish corresponding TLSA RRs (either
3 1 1 for a self-signed cert, or 2 1 1 if they elect instead to go
with some issuing CA). At this point one can monitor for any changes
in the frequency of failed TLS sessions.
It should also be noted that some (for example Postfix) SMTP clients
will not abort the TLS handshake when server authentication fails.
Rather, the TLS handshake will be completed, and the client will
send a "QUIT" to gracefully close the session at the SMTP layer.
Therefore, they should also monitor for connections that close
gracefully without delivering any mail.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
