mirror of
https://github.com/certbot/certbot.git
synced 2026-06-06 15:22:38 -04:00
Merge remote-tracking branch 'github/master'
Conflicts: ConfigParser.py starttls-everywhere.json
This commit is contained in:
Peter Eckersley
commit
45aeb5b003
5 changed files with 50 additions and 45 deletions
|
|
@ -75,10 +75,11 @@ class Config:
|
|||
else:
|
||||
raise ValueError, "Not a known enoforcement policy " + `value`
|
||||
elif atr == "acceptable-mxs":
|
||||
for domain, mxball in acceptable_mx:
|
||||
self.acceptable_mxs = val
|
||||
for domain, mxball in selg.acceptable_mxs:
|
||||
pass
|
||||
else:
|
||||
sys.stderr.write("Uknown attribute: " + `atr` + "\n")
|
||||
sys.stderr.write("Unknown attribute: " + `atr` + "\n")
|
||||
# XXX is it ever permissible to have a domain with an acceptable-mx
|
||||
# that does not point to a TLS security policy? If not, check/warn/fail
|
||||
# here
|
||||
|
|
@ -93,11 +94,6 @@ class Config:
|
|||
d = str(domain) # convert from unicode
|
||||
except:
|
||||
raise TypeError, "tls-policy domain not a string" + `domain`
|
||||
if not d.startswith("*."):
|
||||
raise ValueError, "tls-policy domains must start with *.; try *."+d
|
||||
d = d.partition("*.")[2]
|
||||
if not looks_like_a_domain(d):
|
||||
raise ValueError, "tls-policy for something that a domain? " + d
|
||||
yield (d, policies)
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
|
|
|||
|
|
@ -117,10 +117,15 @@ class PostfixConfigGenerator(MTAConfigGenerator):
|
|||
|
||||
def set_domainwise_tls_policies(self):
|
||||
self.policy_lines = []
|
||||
for domain, policy in self.policy_config.tls_policies.items():
|
||||
entry = domain + " encrypt"
|
||||
if "min-tls-version" in policy:
|
||||
entry += " " + policy["min-tls-version"]
|
||||
for address_domain, properties in self.policy_config.acceptable_mxs.items():
|
||||
mx_list = properties["accept-mx-domains"]
|
||||
if len(mx_list) > 1:
|
||||
print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain
|
||||
mx_domain = mx_list[0]
|
||||
mx_policy = self.policy_config.tls_policies[mx_domain]
|
||||
entry = address_domain + " encrypt"
|
||||
if "min-tls-version" in mx_policy:
|
||||
entry += " " + mx_policy["min-tls-version"]
|
||||
self.policy_lines.append(entry)
|
||||
|
||||
f = open(DEFAULT_POLICY_FILE, "w")
|
||||
|
|
|
|||
|
|
@ -33,6 +33,10 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d
|
|||
|
||||
Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs.
|
||||
|
||||
## Alternatives
|
||||
|
||||
Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of a DANE solution easier.
|
||||
|
||||
## Detailed design
|
||||
|
||||
Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide:
|
||||
|
|
|
|||
|
|
@ -4,13 +4,13 @@
|
|||
"author": "Electronic Frontier Foundation https://eff.org",
|
||||
"expires": 1404677353, "comment 2:": "epoch seconds",
|
||||
"tls-policies": {
|
||||
"*.valid-example-recipient.com": {
|
||||
".valid-example-recipient.com": {
|
||||
"min-tls-version": "TLSv1.1"
|
||||
}
|
||||
},
|
||||
"acceptable-mxs": {
|
||||
"valid-example-recipient.com": {
|
||||
"accept-mx-domains": [ "*.valid-example-recipient.com" ]
|
||||
"accept-mx-domains": [ ".valid-example-recipient.com" ]
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,149 +1,149 @@
|
|||
{
|
||||
"tls-policies": {
|
||||
"*.valid-example-recipient.com": {
|
||||
".valid-example-recipient.com": {
|
||||
"force-tls" : true
|
||||
},
|
||||
"*.mx.aol.com": {
|
||||
".mx.aol.com": {
|
||||
"min-tls-version": "TLSv1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.psmtp.com": {
|
||||
".psmtp.com": {
|
||||
"min-tls-version": "TLSv1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.ukr.net": {
|
||||
".ukr.net": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.interia.pl": {
|
||||
".interia.pl": {
|
||||
"min-tls-version": "TLSv1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.gmx.net": {
|
||||
".gmx.net": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.web.de": {
|
||||
".web.de": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.marktplaats.nl": {
|
||||
".marktplaats.nl": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.wp.pl": {
|
||||
".wp.pl": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.yahoodns.net": {
|
||||
".yahoodns.net": {
|
||||
"min-tls-version": "TLSv1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.t-online.de": {
|
||||
".t-online.de": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.rambler.ru": {
|
||||
".rambler.ru": {
|
||||
"min-tls-version": "TLSv1.1",
|
||||
"require-tls": true
|
||||
},
|
||||
"*.t.facebook.com": {
|
||||
".t.facebook.com": {
|
||||
"min-tls-version": "TLSv1",
|
||||
"require-tls": true
|
||||
}
|
||||
},
|
||||
"acceptable-mxs": {
|
||||
"valid-example-recipient.com": {
|
||||
"accept-mx-domains": [ "*.valid-example-recipient.com" ]
|
||||
"accept-mx-domains": [ ".valid-example-recipient.com" ]
|
||||
},
|
||||
"wp.pl": {
|
||||
"accept-mx-domains": [
|
||||
"*.wp.pl"
|
||||
".wp.pl"
|
||||
]
|
||||
},
|
||||
"yahoo.co.uk": {
|
||||
"accept-mx-domains": [
|
||||
"*.yahoodns.net"
|
||||
".yahoodns.net"
|
||||
]
|
||||
},
|
||||
"rocketmail.com": {
|
||||
"accept-mx-domains": [
|
||||
"*.yahoodns.net"
|
||||
".yahoodns.net"
|
||||
]
|
||||
},
|
||||
"web.de": {
|
||||
"accept-mx-domains": [
|
||||
"*.web.de"
|
||||
".web.de"
|
||||
]
|
||||
},
|
||||
"sbcglobal.net": {
|
||||
"accept-mx-domains": [
|
||||
"*.yahoodns.net"
|
||||
".yahoodns.net"
|
||||
]
|
||||
},
|
||||
"aol.com": {
|
||||
"accept-mx-domains": [
|
||||
"*.mx.aol.com"
|
||||
".mx.aol.com"
|
||||
]
|
||||
},
|
||||
"facebook.com": {
|
||||
"accept-mx-domains": [
|
||||
"*.t.facebook.com"
|
||||
".t.facebook.com"
|
||||
]
|
||||
},
|
||||
"sompo-japan.co.jp": {
|
||||
"accept-mx-domains": [
|
||||
"*.psmtp.com"
|
||||
".psmtp.com"
|
||||
]
|
||||
},
|
||||
"salesforce.com": {
|
||||
"accept-mx-domains": [
|
||||
"*.psmtp.com"
|
||||
".psmtp.com"
|
||||
]
|
||||
},
|
||||
"rambler.ru": {
|
||||
"accept-mx-domains": [
|
||||
"*.rambler.ru"
|
||||
".rambler.ru"
|
||||
]
|
||||
},
|
||||
"t-online.de": {
|
||||
"accept-mx-domains": [
|
||||
"*.t-online.de"
|
||||
".t-online.de"
|
||||
]
|
||||
},
|
||||
"gmx.net": {
|
||||
"accept-mx-domains": [
|
||||
"*.gmx.net"
|
||||
".gmx.net"
|
||||
]
|
||||
},
|
||||
"gmx.de": {
|
||||
"accept-mx-domains": [
|
||||
"*.gmx.net"
|
||||
".gmx.net"
|
||||
]
|
||||
},
|
||||
"ukr.net": {
|
||||
"accept-mx-domains": [
|
||||
"*.ukr.net"
|
||||
".ukr.net"
|
||||
]
|
||||
},
|
||||
"rogers.com": {
|
||||
"accept-mx-domains": [
|
||||
"*.yahoodns.net"
|
||||
".yahoodns.net"
|
||||
]
|
||||
},
|
||||
"ymail.com": {
|
||||
"accept-mx-domains": [
|
||||
"*.yahoodns.net"
|
||||
".yahoodns.net"
|
||||
]
|
||||
},
|
||||
"marktplaats.nl": {
|
||||
"accept-mx-domains": [
|
||||
"*.marktplaats.nl"
|
||||
".marktplaats.nl"
|
||||
]
|
||||
},
|
||||
"interia.pl": {
|
||||
"accept-mx-domains": [
|
||||
"*.interia.pl"
|
||||
".interia.pl"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue