Re: Test tool havedane.net and NCSC-NL factsheet on DANE

[Viktor Dukhovni]

> On May 18, 2017, at 3:23 AM, Bart Knubben <b...@knubben.org> wrote:
> 
> 1. Check this new tool for testing if your mail server checks DANE
> when sending email: https://havedane.net

It is a step in the right direction, though testing should ultimately
be much more comprehensive.

        * Test that "expired" certificates are accepted with DANE-EE(3)

        * Test that matching hostnames are not required with DANE-EE(3)

        * Test multiple DANE-EE(3) SPKI(1) SHA2-256(1) records with
          just one matching the chain.

        * Probe for digest agility support, test a working SHA2-512(2)
          a non-working SHA2-256(1) and vice versa.

        * Test DANE-TA(2) support with TA certificate in the server chain

        * Test DANE-TA(2) with wildcard leaf certificate.

        * Test DANE-TA(2) with expired leaf certificates, or non-matching
          DNS-ID.

        * Test optional DANE-TA(2) SPKI(1) Full(0) support with the trust
          anchor public key in DNS and the full certificate NOT provided
          in the chain (Postfix supports this, other MTAs might not.  Per
          RFC7671 support this corner case is optional, and servers MUST
          include the trust anchor CA certificate in their chain.

        * Test support for a combination of a DANE-TA(2) and a DANE-EE(3)
-- 
        Viktor.
          (both cases).

        * Test TLSA record lookup failures (broken RRsig, broken denial of
          existence, ...)

        * Test DNSSEC-signed domains with MX hostnames in an unsigned zone.
          Their TLSA records should not be looked up (delegate "_tcp" to
          non-responding and perhaps query-logging servers, sender should
          not be delayed by trying to look these up).

        ...

If you want to check that your Postfix is doing DANE minimally correctly
per this site, just try:

$ myemail=...
$ sendmail -bv -f $myemail probe-r...@wrong.havedane.net
$ sendmail -bv -f $myemail probe-r...@do.havedane.net
$ sendmail -bv -f $myemail probe-r...@dont.havedane.net

Then check your logs.  You should see something along the lines of:

May 18 10:10:59 amnesiac postfix/pickup[60085]: B48AC3904F: uid=1001 from=<...>
May 18 10:10:59 amnesiac postfix/cleanup[60313]: B48AC3904F: 
message-id=<20170518141059.b48ac39...@amnesiac.imrryr.org>
May 18 10:10:59 amnesiac postfix/qmgr[17091]: B48AC3904F: from=<...>, size=316, 
nrcpt=1 (queue active)
May 18 10:11:00 amnesiac postfix/smtp[60315]: certificate verification failed 
for wrong.havedane.net[5.79.70.105]:25: untrusted issuer 
/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston
 CA/name=EasyRSA/emailAddress=me@myhost.mydomain
May 18 10:11:00 amnesiac postfix/smtp[60315]: Untrusted TLS connection 
established to wrong.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 18 10:11:00 amnesiac postfix/smtp[60315]: B48AC3904F: 
to=<probe-r...@wrong.havedane.net>, relay=wrong.havedane.net[5.79.70.105]:25, 
delay=1.2, delays=0.03/0.01/1.2/0, dsn=4.7.5, status=undeliverable (Server 
certificate not trusted)
May 18 10:11:01 amnesiac postfix/bounce[60328]: B48AC3904F: sender delivery 
status notification: 0CA8939052
May 18 10:11:01 amnesiac postfix/qmgr[17091]: B48AC3904F: removed

May 18 10:11:18 amnesiac postfix/pickup[60085]: D1FFC39054: uid=1001 from=<...>
May 18 10:11:18 amnesiac postfix/cleanup[60313]: D1FFC39054: 
message-id=<20170518141118.d1ffc39...@amnesiac.imrryr.org>
May 18 10:11:18 amnesiac postfix/qmgr[17091]: D1FFC39054: from=<...>, size=313, 
nrcpt=1 (queue active)
May 18 10:11:19 amnesiac postfix/smtp[60315]: Verified TLS connection 
established to do.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 18 10:11:19 amnesiac postfix/smtp[60315]: D1FFC39054: 
to=<47e517f26634f...@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, 
delay=1, delays=0/0/0.93/0.1, dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
May 18 10:11:19 amnesiac postfix/bounce[60328]: D1FFC39054: sender delivery 
status notification: F024239056
May 18 10:11:19 amnesiac postfix/qmgr[17091]: D1FFC39054: removed

May 18 10:11:36 amnesiac postfix/pickup[60085]: 8385E39058: uid=1001 from=<...>
May 18 10:11:36 amnesiac postfix/cleanup[60313]: 8385E39058: 
message-id=<20170518141136.8385e39...@amnesiac.imrryr.org>
May 18 10:11:36 amnesiac postfix/qmgr[17091]: 8385E39058: from=<...>, size=315, 
nrcpt=1 (queue active)
May 18 10:11:37 amnesiac postfix/smtp[60315]: Anonymous TLS connection 
established to dont.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher 
AECDH-AES256-SHA (256/256 bits)
May 18 10:11:37 amnesiac postfix/smtp[60315]: 8385E39058: 
to=<47e517f26634f...@dont.havedane.net>, 
relay=dont.havedane.net[5.79.70.105]:25, delay=1, delays=0/0/0.91/0.09, 
dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
May 18 10:11:37 amnesiac postfix/bounce[60328]: 8385E39058: sender delivery 
status notification: 99CC23905A
May 18 10:11:37 amnesiac postfix/qmgr[17091]: 8385E39058: removed

-- 
        Viktor.