On Sat, Dec 02, 2023 at 09:55:44PM +0900, Byung-Hee HWANG via Postfix-users
wrote:
> > No, it's a pure security policy thing and an overlooked line in the mysql
> > tls
> > policy table.
> >
> > The policy "secure" (and I assume "dane-only") doesn't work, as github is
> > not
> > using DNSSEC. Valid policies which make this work are "verify", "may" and I
> > assume "dane" (if you have "smtp_tls_security_level = may" or verify
> > resp. "smtpd_tls_security_level = may" or verify).
Security levels usable today include:
- may: good enough to protect against passive monitoring
- encrypt: Same as above, but will never fall back to cleartext
if for some reason a Github MX host fails to offer or
(even after a retry) negotiate STARTTLS.
- dane: Same as "may" in the absence of DNSSEC MX and TLSA
records, but should Github adopt DANE, becomes
hardened also against active attacks.
- verify: Essentialy same "encrypt", unless MX records are
tamper-resistant via DNSSEC, or explicit match
names are specified (becomes identical to "secure"
with same match names). Not recommended.
- secure: With default, or explicit name match patterns not
affected by MX forgery. The default match names
("nexthop" and "dot-nexthop" patterns) work only
when the MX host certificates also include SANs
matching the nexthop or a subdomain. If tweaked
to use the "hostname" name match pattern, becomes
identical to "verify".
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
