On Sat, Dec 02, 2023 at 09:55:44PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > No, it's a pure security policy thing and an overlooked line in the mysql > > tls > > policy table. > > > > The policy "secure" (and I assume "dane-only") doesn't work, as github is > > not > > using DNSSEC. Valid policies which make this work are "verify", "may" and I > > assume "dane" (if you have "smtp_tls_security_level = may" or verify > > resp. "smtpd_tls_security_level = may" or verify).
Security levels usable today include: - may: good enough to protect against passive monitoring - encrypt: Same as above, but will never fall back to cleartext if for some reason a Github MX host fails to offer or (even after a retry) negotiate STARTTLS. - dane: Same as "may" in the absence of DNSSEC MX and TLSA records, but should Github adopt DANE, becomes hardened also against active attacks. - verify: Essentialy same "encrypt", unless MX records are tamper-resistant via DNSSEC, or explicit match names are specified (becomes identical to "secure" with same match names). Not recommended. - secure: With default, or explicit name match patterns not affected by MX forgery. The default match names ("nexthop" and "dot-nexthop" patterns) work only when the MX host certificates also include SANs matching the nexthop or a subdomain. If tweaked to use the "hostname" name match pattern, becomes identical to "verify". -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org