Re: SNI problem - the client side

Sat, 13 Jun 2020 10:45:33 -0700 

On Sat, Jun 13, 2020 at 06:24:02PM +0200, Ján Máté wrote:

> but I found the problem and it will be hard to fix. Postfix TLS code sends 
> SNI only for DANE

Actually, SNI is also sent when the policy table has a non-empty setting
for the "servername" keyword:

    http://www.postfix.org/TLS_README.html#client_tls_policy

    may
        Opportunistic TLS. The optional "ciphers", "exclude" and "protocols"
        attributes (available for opportunistic TLS with Postfix ≥ 2.6) override
        the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and
        "smtp_tls_protocols" configuration parameters. At this level and higher,
        the optional "servername" attribute (available with Postfix ≥ 3.4)
        overrides the global "smtp_tls_servername" parameter, enabling
        per-destination configuration of the SNI extension sent to the remote
        SMTP server. 

> postfix-mta-sts-resolver return value for "smtp_tls_policy_maps" is "secure 
> match=smtp.infcloud.com":

If the MTA-STS policy table service overrides DANE policy in the
presence of TLSA records for the domain, then it is broken.  If however,
DANE records are not present, then the MTA-STS service MUST instead
return one of:

        verify servername=hostname
   or
        secure servername=hostname match=hostname

The only difference (a mistake on my part in retrospect) between
"verify" and "secure" is that "secure" defaults to matching the
"nexthop" domain, while "verify" defaults to matching the MX "hostname".
These cases should probably not have been two separate levels.

> and postfix does not send SNI if smtp_tls_security_level is "secure".

By default, for backwards compatibility, but it does if either there's
a policy setting for "servername" or "smtp_tls_servername" is set in
main.cf.

    http://www.postfix.org/postconf.5.html#smtp_tls_servername

> So the question is rather simple - how to force Postfix to use SNI for 
> "secure" smtp_tls_security_level only.

Fix the MTA-STS socketmap server to return the requisite (i.e.
"hostname") setting for the "servername" policy parameter.

> And the good solution is maybe to add another security level called
> "secure-sni", which will send SNI as required by MTA-STS.

Not needed.

-- 
    Viktor.

Reply via email to