On Thu, Jul 31, 2014 at 10:49:14AM -0500, Noel Jones wrote:
> You can do that much already.
>
> # somewhere in main.cf
> check_sender_access hash:/path/to/tls_required
>
> # tls_required
> example.com reject_plaintext_session
This is unwise, because it breaks forwarding. If someone from
example.com sends mail to user@alumni.example that happens to
forward to user@acme.example (the receiving system), the mail
will be rejected.
SMTP is hop-by-hop, but envelope sender addresses are (mostly)
end-to-end. The impedance mismatch makes it unwise to apply
hop-by-hop policy to end-to-end properties.
> The real problem is this doesn't/can't enforce the From: header,
> which is the only thing the end-user will eventually see. Verifying
> the client can't fix that.
Is Patrick in fact talking about message authentication ala DKIM?
Or is he thinking more along the lines of SASL where some sending
systems "authenticate" to some receiving systems and as a result
are able to reach restricted mailing lists, relay mail outbound, ...
In the latter scenario, using ccert fingerprints is not always
convenient, and we had DANE client TLSA RRs, one could use the
client domain (HELO name) in ACLs instead of volatile ccert digests.
--
Viktor.
