On Aug 26, 2013, at 3:33 PM, Viktor Dukhovni <[email protected]> wrote:
> On Mon, Aug 26, 2013 at 03:18:24PM -0400, Warren Kumari wrote: > >> A few participants suggested that the folk running the IETF >> infrastructure monitor for $something when enabling this. AFAIR, >> $someone[0] was supposed to provide some things to monitor for? > > If they implement in stages: > > - The first step is to configure a suitable self-signed certificate > for the SMTP server and enable STARTTLS. I received a reply from the AMS folk (who, as always, are friendly and helpful) Part of the delay[0] is that the IETF server infrastructure is in the process of being upgraded. New machines are being deployed, and then there will be some config / tuning / testing. Hopefully the new stuff will be ready sometime mid-September, and then we can continue. > Some small fraction > of SMTP connections will fail the TLS handshake. Generally the > sending system will fallback to plaintext and deliver anyway. > One can monitor the logs to identify any systems that consistently > fail to establish a TLS connection, and gather statistics on the > source IPs and frequency. > > - The second step is to publish corresponding TLSA RRs (either > 3 1 1 for a self-signed cert, or 2 1 1 if they elect instead to go > with some issuing CA). At this point one can monitor for any changes > in the frequency of failed TLS sessions. > > > It should also be noted that some (for example Postfix) SMTP clients > will not abort the TLS handshake when server authentication fails. > Rather, the TLS handshake will be completed, and the client will > send a "QUIT" to gracefully close the session at the SMTP layer. > Therefore, they should also monitor for connections that close > gracefully without delivering any mail. Cool. W [0]: Yeah, it's a tiny bit -- the huge majority is me getting sidetracked and not, you know, actually asking them till now :-) > > -- > Viktor. > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane > -- There were such things as dwarf gods. Dwarfs were not a naturally religious species, but in a world where pit props could crack without warning and pockets of fire damp could suddenly explode they'd seen the need for gods as the sort of supernatural equivalent of a hard hat. Besides, when you hit your thumb with an eight-pound hammer it's nice to be able to blaspheme. It takes a very special and straong-minded kind of atheist to jump up and down with their hand clasped under their other armpit and shout, "Oh, random-fluctuations-in-the-space-time-continuum!" or "Aaargh, primitive-and-outmoded-concept on a crutch!" -- Terry Pratchett _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
