Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On Tue, Aug 23, 2022 at 09:21:33AM -0700, nate wrote: > On 2022-08-22 14:46, Viktor Dukhovni wrote: > > [..] > > > You don't need to sign your own domain in order to secure outbound > > traffic > > to domains that others have signed. You just need a local validating > > resolver such as "unbound", with DNSSEC validation turned on. > > Ok, yeah I was thinking more of DANE for my own domains rather than > validating others. > > > My take is that the person in question likes being a cult leader, > > dispensing wisdom to adherents, who then, along with the leader, get to > > feel superior to the uninitiated masses. > > Interesting! I have no idea who that person is just came across that > post in a comment on a website somewhere years ago, I had read others > complain about DNSSEC but hadn't seen what appeared to be as fairly > organized specific thoughts on the subject rather than a one liner > that they hate DNSSEC without saying why. > > > The tooling around DNSSEC has significantly improved recently, making > > hands-off auto-pilot operation much simpler in e.g. BIND 9.16 and later. > > Or you can get your domain professionally operated by Google, one.com, > > OVH, ... who operate millions of signed domains with no issues. > > I checked and I do have BIND 9.16 where I host my domains(on my own > servers). I'll think about it more, my home setup is quite simple I > haven't invested much time in it since before 2010 probably(other > than OS updates and stuff to keep it going). > > I have been using Dyn DNS for work related DNS stuff since about 2009, > even though Oracle keeps saying they plan to retire the legacy Dyn > stuff(and say the newer Oracle cloud DNS uses the same Dyn backend), > it's still alive until May 2023 at least. > > > In any case, outbound DANE does not require anything non-trivial on your > > end. > > Good to know, thanks!! > > nate DNSSEC has become really easy since BIND 9.16. The only big investment in time is reading about DNSSEC to make sure that you understand what's happening. The BIND documentation for DNSSEC is good, and once you understand what it's doing, it can be done with a single extra line of configuration (unless you want to get fancy with the policy), and communicating records for the parent zone to your registrar. I started with it a year ago and have just had my first batch of new CDS/CDNSKEY records appear for an annual rollover (my choice). There's no risk of an outage because BIND won't do anything drastic until I've told it that the new DS record is published and the old DS record is withdrawn. I had to set up some monitoring to know when the new CDS/CDNSKEY records appear, but that's just cron+host+diff. An important thing to check first is how good your registrar is when it comes to adding and removing DS and/or DNSKEY records. Before DNSSEC, I was with a registrar that couldn't do it at all, so I switched to a much better one. Uploading them is done with a web form. No API unfortunately, but I've just asked if they're willing to add one. That anti-DNSSEC page seems very silly and/or out of date. It's true that there are security measures that have been developed with the assumption/acceptance that DNS is insecure, but they have their own problems, and there's probably a lot of stuff that just accepts the insecurity rather than doing anything to mitigate it, so that's not very compelling. And modern small keys exist now. And its popularity is steadily increasing. And the claim that the government controls your keys is just wierd. I don't understand that claim at all. Maybe the author doesn't know what escrow means. cheers, raf
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 2022-08-22 14:46, Viktor Dukhovni wrote: [..] You don't need to sign your own domain in order to secure outbound traffic to domains that others have signed. You just need a local validating resolver such as "unbound", with DNSSEC validation turned on. Ok, yeah I was thinking more of DANE for my own domains rather than validating others. My take is that the person in question likes being a cult leader, dispensing wisdom to adherents, who then, along with the leader, get to feel superior to the uninitiated masses. Interesting! I have no idea who that person is just came across that post in a comment on a website somewhere years ago, I had read others complain about DNSSEC but hadn't seen what appeared to be as fairly organized specific thoughts on the subject rather than a one liner that they hate DNSSEC without saying why. The tooling around DNSSEC has significantly improved recently, making hands-off auto-pilot operation much simpler in e.g. BIND 9.16 and later. Or you can get your domain professionally operated by Google, one.com, OVH, ... who operate millions of signed domains with no issues. I checked and I do have BIND 9.16 where I host my domains(on my own servers). I'll think about it more, my home setup is quite simple I haven't invested much time in it since before 2010 probably(other than OS updates and stuff to keep it going). I have been using Dyn DNS for work related DNS stuff since about 2009, even though Oracle keeps saying they plan to retire the legacy Dyn stuff(and say the newer Oracle cloud DNS uses the same Dyn backend), it's still alive until May 2023 at least. In any case, outbound DANE does not require anything non-trivial on your end. Good to know, thanks!! nate
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On Tue, Aug 23, 2022 at 01:13:56AM -0400, Demi Marie Obenour wrote: > You should definitely deploy DNSSEC, but only after you are able to > deploy it properly. That means having procedures to avoid nasty DNSSEC- > related downtime. That's needlessly scary and non-specific. Rather, it means, that if you're self-hosted: * Having monitoring in place to check that all signatures in the zone are valid and will not expire too soon. I use: ldns-verify-zone -e P0Y0M3DT3H23M54S ... * Having automated signing in place that should ensure that barring unexpected issues, the above should never fail. Choose a nameserver that: + Automates resigning and even periodic ZSK rollovers (e.g. the signing policies in BIND 9.16 or later). + Possibly automates KSK rollovers as well, but unconditionally waits for the matching parent zone DS records to show up before retiring old keys (forever if need be). - If the parent zone supports CDS/CDNSKEY probing (most don't yet), that happens automatically. - Otherwise periodically (but OK if delayed indefinitely) you mirror the "CDS" records as the desired "DS" records via your registrar, ideally they provide an "API" for this. With just these, I've been self-hosting some signed domains since ~2014 with not a single outage. If the tools still look intimidating, wait till they get easier to use, or use a professional service (but presently avoid AWS Route 53, who last I looked still need to fix some issues around empty non-terminals) to operate the signed domain for you. -- Viktor.
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 8/22/22 17:38, nate wrote: > On 2022-08-22 14:30, Viktor Dukhovni wrote: > >> Correct, because there's no point. Mail would be sent whether the >> certificate is trusted or not, and whether or not the DNS-ID matches >> expectations. >> >> Setting up a TLS policy for each domain that's hosted by Microsoft is >> unrealistic, and they don't yet support DANE (but this is planned). > > ok thanks! > > I looked into DANE yesterday had never heard of it before that I can > recall anyway, and it appeared to need DNSSEC, which isn't something > I've had an interest to deploy. I read what appeared to be a really > good blog post on DNSSEC a few years ago that really ripped it apart > (https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Can't > vouch for accuracy but the person seemed like they knew what they > were talking about. That was of course 7 years ago so maybe things > have changed since. > > nate You should definitely deploy DNSSEC, but only after you are able to deploy it properly. That means having procedures to avoid nasty DNSSEC- related downtime. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On Mon, Aug 22, 2022 at 02:38:20PM -0700, nate wrote: > On 2022-08-22 14:30, Viktor Dukhovni wrote: > > > Correct, because there's no point. Mail would be sent whether the > > certificate is trusted or not, and whether or not the DNS-ID matches > > expectations. > > > > Setting up a TLS policy for each domain that's hosted by Microsoft is > > unrealistic, and they don't yet support DANE (but this is planned). > > ok thanks! > > I looked into DANE yesterday had never heard of it before that I can > recall anyway, and it appeared to need DNSSEC, which isn't something > I've had an interest to deploy. You don't need to sign your own domain in order to secure outbound traffic to domains that others have signed. You just need a local validating resolver such as "unbound", with DNSSEC validation turned on. You need a local resolver anyway, just to use most RBLs, so turning on validation is a simple change. > I read what appeared to be a really > good blog post on DNSSEC a few years ago that really ripped it apart > (https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Don't believe everything you read. > Can't vouch for accuracy but the person seemed like they knew what > they were talking about. That was of course 7 years ago so maybe > things have changed since. My take is that the person in question likes being a cult leader, dispensing wisdom to adherents, who then, along with the leader, get to feel superior to the uninitiated masses. The tooling around DNSSEC has significantly improved recently, making hands-off auto-pilot operation much simpler in e.g. BIND 9.16 and later. Or you can get your domain professionally operated by Google, one.com, OVH, ... who operate millions of signed domains with no issues. In any case, outbound DANE does not require anything non-trivial on your end. -- Viktor.
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 2022-08-22 14:30, Viktor Dukhovni wrote: Correct, because there's no point. Mail would be sent whether the certificate is trusted or not, and whether or not the DNS-ID matches expectations. Setting up a TLS policy for each domain that's hosted by Microsoft is unrealistic, and they don't yet support DANE (but this is planned). ok thanks! I looked into DANE yesterday had never heard of it before that I can recall anyway, and it appeared to need DNSSEC, which isn't something I've had an interest to deploy. I read what appeared to be a really good blog post on DNSSEC a few years ago that really ripped it apart (https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Can't vouch for accuracy but the person seemed like they knew what they were talking about. That was of course 7 years ago so maybe things have changed since. nate
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On Mon, Aug 22, 2022 at 02:09:26PM -0700, nate wrote: > postfix/smtp[7329]: Untrusted TLS connection established to > example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > I assume it says Untrusted because Postfix doesn't have any CAs that it > is configured for? Correct, because there's no point. Mail would be sent whether the certificate is trusted or not, and whether or not the DNS-ID matches expectations. Setting up a TLS policy for each domain that's hosted by Microsoft is unrealistic, and they don't yet support DANE (but this is planned). -- Viktor.
Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 2022-08-22 13:55, Viktor Dukhovni wrote: This should be the full certificate chain, not just the lead certificate. For that, you need at least: smtp_tls_security_level = may or perhaps (given a local validating resolver and only loopback nameserver IPs in /etc/resolv.conf or equivalent): smtp_dns_support_level = dnssec smtp_tls_security_level = dane thanks Viktor and Jaroslaw! Things are working fine, I put the cert chain in the main cert file again, no errors this time. Outbound TLS is working ok now postfix/smtp[7329]: Untrusted TLS connection established to example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) I assume it says Untrusted because Postfix doesn't have any CAs that it is configured for?(assuming Office 365 uses a real SSL cert). Probably doesn't matter. It's just my personal email server. thanks nate