diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2016-04-24 16:53:25 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2016-04-24 16:53:25 +0100 |
| commit | 4b0fe31936b336d12836875101dcac6599d127ee (patch) | |
| tree | 2495b59338f71113b5fbf3b4d2659fc3e709710c /doc | |
| parent | c035b645ba3549472b9a835b845c2027b16a4cf2 (diff) | |
DANE: Remove fallback from hosts_try_dane. If TLSA record not retrieved,
do not use this host.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-txt/ChangeLog | 10 | ||||
| -rw-r--r-- | doc/doc-txt/experimental-spec.txt | 10 |
2 files changed, 16 insertions, 4 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 496e9d07e..cecd2a038 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -10,6 +10,16 @@ JH/02 The obsolete acl condition "demime" is removed (finally, after ten years of being deprecated). The replacements are the ACLs acl_smtp_mime and acl_not_smtp_mime. +JH/03 Upgrade security requirements imposed for hosts_try_dane: previously + a downgraded non-dane trust-anchor for the TLS connection (CA-style) + or even an in-clear connection were permitted. Now, if the host lookup + was dnssec and dane was requested then the host is only used if the + TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority + MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) + if one fails this test. + This means that a poorly-configured remote DNS will make it incommunicado; + but it protects against a DNS-interception attack on it. + Exim version 4.87 ----------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 4836a7d51..993b5b05c 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -884,18 +884,20 @@ with DANE in their OCSP settings. For client-side DANE there are two new smtp transport options, -hosts_try_dane and hosts_require_dane. They do the obvious thing. +hosts_try_dane and hosts_require_dane. [ should they be domain-based rather than host-based? ] +Hosts_require_dane will result in failure if the target host +is not DNSSEC-secured. + DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. A TLSA lookup will be done if either of the above options match and the host-lookup succeded using dnssec. If a TLSA lookup is done and succeeds, a DANE-verified TLS connection -will be required for the host. - -(TODO: specify when fallback happens vs. when the host is not used) +will be required for the host. If it does not, the host will not +be used; there is no fallback to non-DANE or non-TLS. If DANE is requested and useable (see above) the following transport options are ignored: |