TLS-only forwarding

New ideas and constructive comments go here.

Moderator: Moderators

Post Reply
jhmartin
Posts: 10
Joined: Sat Oct 29, 2005 2:01 pm

TLS-only forwarding

Post by jhmartin »

When running Rollernet as a MX, consider allowing me to designate that only TLS connections should be made to by primary mailserver, and force checking of the provided certificate. Please also allow CACert as a valid CA.
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: TLS-only forwarding

Post by Seth »

Mandatory TLS and fingerprinting requirements are on our to do list.
Seth Mattinen, Roller Network LLC
jhmartin
Posts: 10
Joined: Sat Oct 29, 2005 2:01 pm

Re: TLS-only forwarding

Post by jhmartin »

Any update on this? I can imagine 3 modes:

'TLS Accepted' (the default, attempts TLS w/o cert validation but falls back to cleartext)
'Flexible TLS' - requires TLS but does not check the validity of the cert
'Strict TLS' - requires TLS and that the cert is valid.

A further enhancement is requiring a specific CA or possibly key fingerprint. LetsEncrypt certs are shortish lived so requiring a specific cert may not be ideal.
Seth
Site Admin
Posts: 309
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada
Contact:

Re: TLS-only forwarding

Post by Seth »

Back when I originally imagined doing this the idea was for strict mode that would only proceed if the fingerprint of the server we connected to matched what was configured in the control center. But as you said, LetsEncrypt certs are short lived, so you'd have to change that setting constantly which is not ideal.
Seth Mattinen, Roller Network LLC
jhmartin
Posts: 10
Joined: Sat Oct 29, 2005 2:01 pm

Re: TLS-only forwarding

Post by jhmartin »

Any word on this?
Post Reply