On Wed, Jul 31, 2024 at 10:44:10PM +0200, Mechiel Lukkien via mailop wrote:
> > It's DANE implementation looks (cursory read of the code) incorrect to
> > me. I'd recommend against using non-mainstream security software.
>
> do you remember what looked wrong? i'm very interested in any leads
> (as author of mox). i'm assuming the issue would be with the outgoing
> connections, not how mox is helping you set up dane for your server.
Yes, the issue is with outbound DANE support. Inbound DANE requires no
code on the receiving MTA, just working STARTTLS and a certificate chain
(perhaps just the server's public key) that matches the published TLSA
records.
> the logic & code certainly has gotten tricky: dealing with the details
> about required dnssec statusses (after following cnames), which cert
> hostnames are valid, dealing with both mta-sts and dane on a
> connection, and tracking error codes for failing connections (for tls
> reports).
I couldn't tell whether it is was too strict, and would refuse to
deliver mail to domains with DANE TLSA records, or too permissive,
and would deliver without DANE enforcement when DNS lookups tempfail.
Either way, I could not see how it could robustly handle active attacks
that tamper with DNS responses. The certificate validation logic also
looked difficult to understand, at least in the DANE-TA(2) case.
It is rather unclear how the various command bindings add up to a
complete outbound delivery state machine.
Sorry I can't be more specific, but in the limited time I had for
looking at the code I failed to find the expected logic for handling
temporary errors correctly and for clearly correct handling of
DANE-TA(2).
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
