Re: [dane] Delivery of email if MX is not signed

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Mon, Aug 24, 2015 at 04:51:19AM +0200, Patrik F?ltstr?m wrote:

> I want the validation of the cert used for the TLS connection to use the
> same rules for trust regardless of whether DANE is used (i.e. signed and
> properly validated TLSA record for the peer) or if X.509 cert/PKI from
> some CA is in use.

What rules would that be?  Without DANE or local configuration,
SMTP does no authentication of the peer, for reasons explained in
Section 1.3 of the draft, that we don't need to repeat.

> What I read in the draft, and what I read in the paper Jan wrote after
> testing Postfix and what I read here in the responses I get is that DANE
> is trusted LESS than X.509 certs.

This is a misapprehesion on your part.

> 1. X.509
> 
> 1.1 Unsigned MX
> 1.2 cert validated from some CA that is trusted

No.  Non-DANE SMTP does unauthenticated TLS, and the cert is ignored,
whether its trust chain verifies or not.

> 2. DANE
> 
> 2.1 Unsigned MX
> 2.2 cert validated via signed TLSA with DNSSEC chain of trust to some TA

In both cases no authentication is performed.

> I think they should be equivalent.

They are equivalent, you get no protection from active attacks.

> If they are, also in the implementation in postfix, then just tell me and I'll shut up.

With "smtp_tls_security_level = dane", the two cases are treated
identically, neither authenticate the peer, and both deliver the
mail regardless of the content of the peer certificate if any.

-- 
	Viktor.