Re: proposed text for crypto-policies in Packaging Guidelines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2014-08-08 at 15:36 +0200, Reindl Harald wrote:
> Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
> > Postfix is a different kind of beast though. It does not typically use
> > TLS, but uses some kind of opportunistic security that allows anonymous
> > ciphersuites. So it's a bit hard to enforce anything there, as
> > man-in-the-middle attacks are possible by design
> 
> and keep in mind in case of opportunistic TLS if you restrict
> ciphers and the SMTP client don't support what you offer it
> falls back to completly plaintext which defeats the intention
[...]
> in short:
> MTA's acting as public MX must not enforce default TLS policies
> from the distribution shipping the package

Not really. I'd expect a mail server to always connect with TLS to
servers that it has previously connected with TLS to. Otherwise I could
always see the plaintext messages by blocking any TLS communication.
Nevertheless, this is application policy, and the system policy does not
apply here.

regards,
Nikos


--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux