On 2018-05-22 at 14:58 -0400, Eric Tykwinski wrote: > MTA-STS will probably hit more on the valid certificate deal, but it's on the > mta-sts record to get the policy. > DANE just says this certificate is good, could be expired, self-signed, et al > as long as it passes the hash.
DANE has two modes: the certificate (or public key) of the server is in DNS (DANE-EE), and the certificate (or public key) of the CA which issued the server certificate is in DNS (DANE-TA). DANE-EE/DANE-TA terminology from RFC 7218. There's also PKIX-* modes, but the email-binding spec expressly prohibits those for $reasons. For DANE-EE, yes: the security is the binding in DNS, and as long as DNS identifies the certificate presented, you're done. Plus side: no hostname verification, etc etc. Minus side: have to be extremely careful in how you roll keys, with DNS TTLs and the like all factoring into how you make changes. For DANE-TA, no: the CA certificate (which should be presented in the chain, especially if you're sanely only publishing fingerprints in DNS, not full certificates) issues the certificate, and all the usual verification mechanisms have a role. There are a couple of different hostnames which might be tried, depending upon the DNSSEC status and whether CNAMEs are in play; it's complicated because you can have a DNSSEC-signed zone with TLSA records, where the MX hosts are CNAMEs (which violates old RFCs but which ~every MTA supports anyway, because otherwise people would complain that their boss was threatening to fire them if they couldn't get the mail through) and those CNAMEs point to unsigned zones. So I can't easily condense the rules into this email. RFC 7672 has the full spec for using DANE with SMTP. Viktor Dukhovni has given a number of presentations on the topic, and publishes monthly stats on domains with working DANE. The uptake is going better than I'd expected. If you have Golang (1.8+) then a small plug: go get go.pennock.tech/smtpdane to get a query tool; it requires a validating resolver, but otherwise can be used to probe DNS and your MX hosts and report on status. Use `smtpdane -nagios -mx domain.example` to check all the MX hosts for your domain in NAGIOS-compatible output/exit-codes. I monitor spodhuis.org and exim.org using this tool, with `-expect-ocsp` in there too. -Phil _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
