TLSA should support port 25 from certificate file

[kkeane]

Currently, tlsa will abort if port 25 is specified, because tlsa doesn't support STARTTLS.

However, tlsa should still allow creating a TLSA record from a certificate file, since in that case, there is no need to use the STARTTLS protocol.

[letoams]

On Sun, 1 Feb 2015, Kevin Keane wrote:

Currently, tlsa will abort if port 25 is specified, because tlsa doesn't support STARTTLS.

However, tlsa should still allow creating a TLSA record from a certificate file, since in that case, there is no need to use the STARTTLS protocol.

The idea is to grab it from the running system, not from a file that might not be the certificate presented by the mailserver. Whether it is for HTTPS or SMTP-STARTTLS.

Paul

[kkeane]

Understood, and in that mode it makes sense to block port 25. The tlsa utility already allows generating the record from a file, though, with the --certificate option, and there are many valid use cases for that scenario. When specifying the --certificate option, it makes perfect sense to allow port 25.

That's even more true because arguably, a tlsa record for port 25 is the most important of the TLSA records (for DANE support), and tlsa currently does not provide any way at all to generate that record directly.

[letoams]

support was added in git and will be in version 2.7