mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-11-25 12:31:36 +01:00
Added information of SNI to "tips and tricks" section
This commit is contained in:
parent
e3c510cfa9
commit
7cd1ad0fbe
@ -138,6 +138,7 @@ This section describes several pionts for attention when implementing DANE for S
|
|||||||
* Roll-over scheme "current + next" gives less flexibility but the highest form of certainty, because of "tight pinning".
|
* Roll-over scheme "current + next" gives less flexibility but the highest form of certainty, because of "tight pinning".
|
||||||
* Implement monitoring of your DANE records to be able to detect problems as soon as possible.
|
* Implement monitoring of your DANE records to be able to detect problems as soon as possible.
|
||||||
* Make sure your implementation supports the usage of a CNAME in your MX record. There are some inconsistencies between multiple RFC's. According to [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) a CNAME in MX records is not allowed, while [RFC 7671](https://tools.ietf.org/html/rfc7671#section-7) and [RFC 5321](https://tools.ietf.org/html/rfc5321#section-5.1) imply that the usage of a CNAME in MX records is allowed.
|
* Make sure your implementation supports the usage of a CNAME in your MX record. There are some inconsistencies between multiple RFC's. According to [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) a CNAME in MX records is not allowed, while [RFC 7671](https://tools.ietf.org/html/rfc7671#section-7) and [RFC 5321](https://tools.ietf.org/html/rfc5321#section-5.1) imply that the usage of a CNAME in MX records is allowed.
|
||||||
|
* Using Server Name Indication (SNI) in an e-mail environment (for matching the certificate offered by a recieving e-mail server) is only usefull when DANE and DNSSEC are used. DNSSEC to perform a reliable MX lookup and DANE to verify the authenticity of the certificate. Sending e-mail servers (the TLS client) usually don't use SNI, because some receiving e-mail servers (the TLS server) cannot handle this; in some cases the setting up of a TLS connection fails. For more information see [RFC 7672 section 8.1](https://tools.ietf.org/html/rfc7672#section-8.1) and [this blogpost by Filippo Valsorda](https://blog.filippo.io/the-sad-state-of-smtp-encryption/).
|
||||||
|
|
||||||
# Inbound e-mail traffic (publishing DANE DNS records)
|
# Inbound e-mail traffic (publishing DANE DNS records)
|
||||||
This part of the how-to describes the steps that should be taken with regard to your inbound e-mail traffic, which primairily involves publishing DANE DNS records. This enables other parties to use DANE for validating the certificates offered by your e-mail servers.
|
This part of the how-to describes the steps that should be taken with regard to your inbound e-mail traffic, which primairily involves publishing DANE DNS records. This enables other parties to use DANE for validating the certificates offered by your e-mail servers.
|
||||||
|
Loading…
Reference in New Issue
Block a user