On Fri, Nov 07, 2014 at 02:04:27PM +0100, Bernhard Schmidt wrote:
> However, sometimes mx2.bund.de negotiates an Anonymous TLS connection
> and the mail gets delivered
>
> Nov 7 11:04:39 lxmhs52 postfix-postout/smtp[18391]: Anonymous TLS
> connection established to mx2.bund.de[77.87.224.131]:25: TLSv1.2 with
> cipher AECDH-AES256-SHA (256/256 bits)
> Nov 7 11:04:39 lxmhs52 postfix-postout/smtp[18391]: 3jYxzC541LzyYf:
> to=<[email protected]>, relay=mx2.bund.de[77.87.224.131]:25, delay=0.32,
> delays=0.05/0/0.16/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> E353315D45B)
Pay close attention to the recipient domain. While bund.de is DNSSEC
signed, ble.de is not.
> - Why are Untrusted TLS connections dropped, but the arguably even
> weaker Anonymous TLS connections accepted?
DANE does not apply to unsigned domains, even though the MX host
might have TLSA RRs.
--
Viktor.
