Wietse Venema:
Rich Felker:
> > It would be a mistake to use TLSA records from an unsigned domain.
> > That would be no more secure than accepting a random server
> > certificate. All the pain of doing TLSA and none of the gain, just
> > security theatre.
>
> It's not security theater. It (1) ensures that you do use records for
> a signed domain even if you were unable to determine it was signed,
> due to issues like lack of AD bit in musl or stripping of AD bit by
> glibc default configuration, and (2) makes it so an attacker wanting
> to MITM needs to be able to do so on DNS channel, not just route to
> the MX. (For example this might be difficult or impossible for the
> attacker if DNS is routed over DoH, or if attacker can sit somewhere
> between client and MX but not between client and the nearest anycast
> 8.8.8.8.)
Congratulations! You just gave a new definition of security theatre:
using an unauthenticated channel to distribute trust anchors. You
can consider libc-musl as unsupported from now on.
On 19.04.20 13:11, Wietse Venema wrote:
Verified on alpine-3.11.5.
alpine:~/postfix-3.6-20200419$ make makefiles
...
Warning: libc-musl breaks DANE/TLSA security.
Use a glibc-based Linux distribution instead.
Remove this test to build unsupported Postfix.
make: *** [Makefile:79: makefiles] Error 1
Isn't this contrary to what you have said before?
https://marc.info/?l=postfix-users&m=158715103506366&w=2
However, if people want to shoot
themselves in the foot, then Postfix won't stop them.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
