'Re: Respecting MTA-STS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Respecting MTA-STS
From:       Viktor Dukhovni <postfix-users () dukhovni ! org>
Date:       2019-10-18 0:26:53
Message-ID: 20191018002653.GR34850 () straasha ! imrryr ! org
[Download RAW message or body]

On Fri, Oct 11, 2019 at 02:17:16PM -0400, Viktor Dukhovni wrote:

> > that Gmail enabled SNI on their SMTP client is an indicator that using SNI
> > may not cause relevant trouble.  But it's also known, Gmail is able to do
> > such stuff very selective to prevent damage.
> 
> Indeed I am not presently able to rule out that possibility, the
> question could be posed to the Gmail email engineering team directly,
> they probably know the answer.

I've reached out to two Gmail engineers, don't yet have an answer.
It could take some time...

On Thu, Oct 17, 2019 at 03:33:47PM -0400, Daniel Kahn Gillmor wrote:

> If we shift the default for postfix this way, and an installation
> observes a specific failure on a target delivering host, they can
> override this setting (bringing it back to the empty string) manually.

Yes.

> ---
>  postfix/html/postconf.5.html     | 4 ++--
>  postfix/man/man5/postconf.5      | 4 ++--

These files are build artefacts, not sources, the source file is
proto/postconf.proto, from which both are constructed, and which
then also updates the defaults reported in manpages that reference
the parameter.  It suffices to update the source, and the rest
happens when Wietse builds a package for distribution.


> --- a/postfix/src/global/mail_params.h
> +++ b/postfix/src/global/mail_params.h
> @@ -1598,9 +1598,9 @@ extern char *var_smtp_tls_sec_cmatch;
>  extern char *var_smtp_tls_fpt_cmatch;
>  
>  #define VAR_SMTP_TLS_SNI "smtp_tls_servername"
> -#define DEF_SMTP_TLS_SNI ""
> +#define DEF_SMTP_TLS_SNI "hostname"
>  #define VAR_LMTP_TLS_SNI "lmtp_tls_servername"
> -#define DEF_LMTP_TLS_SNI ""
> +#define DEF_LMTP_TLS_SNI "hostname"
>  extern char *var_smtp_tls_sni;
>  
>  #define VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY "smtp_tls_block_early_mail_reply"

Should the LMTP default be explicit, or should it inherit the SMTP
setting?  I guess the current empty values are explicit, so inheritance
would be a surprising change.

I'd prefer to wait to hear back from my Gmail contacts, but this
change probably makes sense these days.

-- 
	Viktor.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic