Re: TLS: Migrate from *encrypt* to *verify* for specific domain

Tue, 25 Sep 2018 08:35:19 -0700 


> On Sep 25, 2018, at 9:29 AM, Paul Menzel <pmen...@molgen.mpg.de> wrote:
> 
> We want to improve that. Unfortunately, DANE is not an option as the DFN
> does not support that,

What do you mean by "DFN does not support that"?  If by "DFN" you mean
"DFN-Verein", their certificates pose no compatibility issues with DANE.
For example:

    uni-wuppertal.de. IN MX 20 mail1.uni-wuppertal.de. ; NoError AD=1
    uni-wuppertal.de. IN MX 20 mail2.uni-wuppertal.de. ; NoError AD=1
    mail1.uni-wuppertal.de. IN A 132.195.64.21 ; NoError AD=1
    mail1.uni-wuppertal.de. IN AAAA 2001:638:50a:64::21 ; NoError AD=1
    _25._tcp.mail1.uni-wuppertal.de. IN TLSA 3 1 1 
e5ee04ac55b2dd966f1aa0011c90d8ab8284d2dce3480c48cde7bc12feca5422 ; NoError AD=1
      mail1.uni-wuppertal.de[132.195.64.21]: pass: TLSA match: depth = 0, name 
= mail1.uni-wuppertal.de
      mail1.uni-wuppertal.de[2001:638:50a:64::21]: pass: TLSA match: depth = 0, 
name = mail1.uni-wuppertal.de
        TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
        name = mail1.uni-wuppertal.de
        depth = 0
          Issuer CommonName = Uni-Wuppertal CA
          Issuer Organization = Bergische Universitaet Wuppertal
          notBefore = 2016-11-02T09:23:43Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = mail1.uni-wuppertal.de
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [matched] <- 3 1 1 
e5ee04ac55b2dd966f1aa0011c90d8ab8284d2dce3480c48cde7bc12feca5422
        depth = 1
          Issuer CommonName = DFN-Verein PCA Global - G01
          Issuer Organization = DFN-Verein
          notBefore = 2014-05-27T14:53:55Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Uni-Wuppertal CA
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [nomatch] <- 2 1 1 
894aabe20c4b0f55fe31261693303f034d9d3ca12bc3042eaed12f633e1ef357
        depth = 2
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 2014-07-22T12:08:26Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = DFN-Verein PCA Global - G01
          Subject Organization = DFN-Verein
          pkey sha256 [nomatch] <- 2 1 1 
5732fe16d00abf36f83798a0985272bfcdc60fb0812bb632c3e47a5dd4517e68
        depth = 3
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 1999-07-09T12:11:00Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Deutsche Telekom Root CA 2
          Subject Organization = Deutsche Telekom AG
          pkey sha256 [nomatch] <- 2 1 1 
d1de2ae61c8df2fa623966163d4c73d460bfc428e57585be6bfeb9a56323d1b6
    mail2.uni-wuppertal.de. IN A 132.195.64.6 ; NoError AD=1
    mail2.uni-wuppertal.de. IN AAAA 2001:638:50a:64::6 ; NoError AD=1
    _25._tcp.mail2.uni-wuppertal.de. IN TLSA 3 1 1 
9739ebc5261100a62c488f48162816435872abddfcd0b6735e104a4fa7a7841a ; NoError AD=1
      mail2.uni-wuppertal.de[132.195.64.6]: pass: TLSA match: depth = 0, name = 
mail2.uni-wuppertal.de
      mail2.uni-wuppertal.de[2001:638:50a:64::6]: pass: TLSA match: depth = 0, 
name = mail2.uni-wuppertal.de
        TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
        name = mail2.uni-wuppertal.de
        depth = 0
          Issuer CommonName = Uni-Wuppertal CA
          Issuer Organization = Bergische Universitaet Wuppertal
          notBefore = 2016-11-02T09:23:45Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = mail2.uni-wuppertal.de
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [matched] <- 3 1 1 
9739ebc5261100a62c488f48162816435872abddfcd0b6735e104a4fa7a7841a
        depth = 1
          Issuer CommonName = DFN-Verein PCA Global - G01
          Issuer Organization = DFN-Verein
          notBefore = 2014-05-27T14:53:55Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Uni-Wuppertal CA
          Subject Organization = Bergische Universitaet Wuppertal
          pkey sha256 [nomatch] <- 2 1 1 
894aabe20c4b0f55fe31261693303f034d9d3ca12bc3042eaed12f633e1ef357
        depth = 2
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 2014-07-22T12:08:26Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = DFN-Verein PCA Global - G01
          Subject Organization = DFN-Verein
          pkey sha256 [nomatch] <- 2 1 1 
5732fe16d00abf36f83798a0985272bfcdc60fb0812bb632c3e47a5dd4517e68
        depth = 3
          Issuer CommonName = Deutsche Telekom Root CA 2
          Issuer Organization = Deutsche Telekom AG
          notBefore = 1999-07-09T12:11:00Z
          notAfter = 2019-07-09T23:59:00Z
          Subject CommonName = Deutsche Telekom Root CA 2
          Subject Organization = Deutsche Telekom AG
          pkey sha256 [nomatch] <- 2 1 1 
d1de2ae61c8df2fa623966163d4c73d460bfc428e57585be6bfeb9a56323d1b6


> and a lot of German research organizations and institutes use that for 
> receiving messages.

The DANE survey finds 21 domains with DFN-Verein certificates and working
DANE.  There are almost certainly some that don't have DANE TLSA records,
but they could if they wanted to.  As for "soft failure" with "verify"
(or "secure"), that's not presently supported in Postfix.

-- 
        Viktor.























					Reply via email to