proposed text for crypto-policies in Packaging Guidelines
Reindl Harald
h.reindl at thelounge.net
Fri Aug 8 13:36:51 UTC 2014
Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
> Postfix is a different kind of beast though. It does not typically use
> TLS, but uses some kind of opportunistic security that allows anonymous
> ciphersuites. So it's a bit hard to enforce anything there, as
> man-in-the-middle attacks are possible by design
and keep in mind in case of opportunistic TLS if you restrict
ciphers and the SMTP client don't support what you offer it
falls back to completly plaintext which defeats the intention
for secured and verified SMTP it needs special care
* DANE and DNSSEC which goes far above email only
* smtpd_tls_ask_ccert where admins of both sides must work
together and also coordinate cert changes
in short:
MTA's acting as public MX must not enforce default TLS policies
from the distribution shipping the package
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20140808/03fe2d92/attachment.sig>
More information about the security
mailing list