On 04/27/2016 12:59 AM, Brandon Vincent wrote:
On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder <alice@xxxxxxxxxxxxxx> wrote:
That is the only reliable way to avoid MITM with SMTP.
Except I can just strip STARTTLS and most MTAs will continue to connect.
No you can't.
Not with a smtp that enforces DANE.
If my postfix sees that your SMTP publishes a DANE record then it will
refuse to connect unless it is a secure connection with a certificate
that matches the fingerprint in the TLSA record.
See RFC 7672
But the postfix in RHEL / CentOS 7 does not support that.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos