On 2017-10-26 17:02, Viktor Dukhovni wrote:
>> On Oct 26, 2017, at 5:08 PM, Gao <g...@pztop.com> wrote: >> >> I am trying to setup dane on my mail server. > > Thanks for been an early adopter. Your enthusiasm is appreciated. > Don't forget to *monitor* your deployment, by periodically (at > least daily) checking that your DNSSEC is working and your > SMTP server certificate chain matches the published TLSA > records. Make sure you understand how to do certificate > rotation correctly: > > http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 > [1] > https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 > [2] > https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ > [3] > https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 > [4] > http://tools.ietf.org/html/rfc7671#section-8.1 [5] > http://tools.ietf.org/html/rfc7671#section-8.4 [6] > > By combining "3 1 1" + "2 1 1" TLSA records, the rollover process can be > substantially simplified: > > https://www.ietf.org/mail-archive/web/uta/current/msg01498.html [7] > >> But I never seen a "Verified TLS connection..." in the log. >> I always got: >> Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection >> established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2 with >> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > > There are two prerequisites for DANE verification to happen: > > 1. Your DNS resolver in /etc/resolv.conf needs to be a *validating* > DNS resolver and for any meaningful security must be either on > the loopback interface or reachable via a securely keyed IPsec > tunnel or similar. > > AND > > 2. The destination domain and its MX host must be in DNSSEC signed > zones > > 3. The MX host must have TLSA records published. > > Conditions 2 and 3 are false for google's MX hosts. > >> My system is Postfix 3.2.3 on Centos 7.4 >> # postconf -d | grep mail_version >> mail_version = 3.2.3 >> >> main.cf: >> smtp_dns_support_level = dnssec >> smtp_tls_security_level = dane >> smtp_tls_loglevel = 1 > > Condition 1 may be false for your system. For the DNS part (condition 1) I run a local bind DNS server. The named.conf have lines: forward only; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-enable yes; dnssec-validation yes; And in ifconfig-eth0 I have: (CentOS 7 use networkmanager so the DNS setting is no longer in resolv.conf ) DNS1=0.0.0.0 I think this will take care the *validating* DNSSEC issue, am I right? I'll start working on the cert automatic rotation issue. I am using Lets Encrypt so I have to solve it. Cheers, Gao Links: ------ [1] http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 [2] https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 [3] https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ [4] https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 [5] http://tools.ietf.org/html/rfc7671#section-8.1 [6] http://tools.ietf.org/html/rfc7671#section-8.4 [7] https://www.ietf.org/mail-archive/web/uta/current/msg01498.html