Personal tools
You are here: Home Forums SecMX RFC Discussion : CLOSED 5. SecMX: Level 2
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

5. SecMX: Level 2

by Mike Pearson last modified 2006-11-11 12:32

Best Effort SecMX servers ensure that messages are sent securely when possible (using TLS), however, there are cases when organisations want to ensure that a message is only sent if it can be securely sent. SecMX therefore defines another class of MTAs: Secure Only SecMX servers.

5.  SecMX: Level 2

   Best Effort SecMX servers ensure that messages are sent securely when
   possible (using TLS), however, there are cases when organisations
   want to ensure that a message is only sent if it can be securely
   sent.  SecMX therefore defines another class of MTAs: Secure Only
   SecMX servers.  These support the following:

   Best Effort Sender (BES): A BES will attempt to transfer all mail
      securely (SMTP over TLS).  If an appropriate SOR or BER is found,
      then this is utilised in preference to any standard mail servers.
      Standard mail servers can be used if it fails to find any SecMX
      servers (i.e. transfer the email even if a TLS session could not
      be established with the receiving server).

   Best Effort Receiver (BER): A BER will prefer to receive mail
      securely (SMTP over TLS), but will also receive insecure mail
      (i.e. transfer the email even if a TLS session could not be
      established with the sending server).

   Secure Only Sender (SOS): A SOS will attempt to transfer all email
      securely (SMTP over TLS).  If it cannot find a BER or SOR, it will
      bounce the email.

   Secure Only Receiver (SOR): A SOR will only ever receive mail
      securely (SMTP over TLS) from a SOS or BES.

5.1.  Discovery mechanisms

   Given that a SOR will only ever receive mail securely, it cannot be
   considered a genuine MTA (according to [RFC2487]).  This is because
   the RFC clearly states that publicly-referenced MTAs must not require
   TLS connections.  A SOR cannot therefore be listed in the MX records
   for a domain.

   An additional capability of a SecMX server (SOS or BES) is the
   ability to discover SORs and BESs.

5.1.1.  SRV records

   One mechanism to publish SORs would be to list them in the DNS using
   SRV records (see [RFC2782]).  The SecMX SRV records would have their
   Service field set as "secmx".  The protocol for SecMX will be TCP for
   the forseeable future.  An example SRV record might therefore look as
   follows:

   _secmx._tcp.domain.govt.nz IN SRV 10 10 25 secmail.domain.govt.nz 

   Where the SecMX service for domain.govt.nz is provided by the host
   secmail.domain.govt.nz on tcp port 25.

SecMX Level 2 - Response

Posted by NeilSherratt at 2006-09-27 13:13

See comments in point 4. SecMX: Level 1
« January 2009 »
Su Mo Tu We Th Fr Sa
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
 
Powered by Plone, the Open Source Content Management System

This site conforms to the following standards: