[pfx] Re: DANE - General question

Mon, 10 Feb 2025 23:29:12 -0800 

On Mon, Feb 10, 2025 at 04:14:36PM +0100, Danjel Jungersen via Postfix-users 
wrote:

> I have decided to give it a shot.

When you say "give it a shot", do you mean enabling DANE *outbound* in
your Postfix SMTP client, i.e. verify the DANE TLSA records of remote
domains that have implemented it?

If so, that's pretty simple, you need a local DNSSEC validating resolver
(BIND, unbound, knot, not systemd-resolved or dns-masq).
Then just:

    /etc/resolv.conf
        nameserver 127.0.0.1
        # Glibc-specific
        options trust-ad

    /etc/postfix/main.cf:
        smtp_dns_support_level = dnssec
        smtp_tls_security_level = dane

If you want to publish your own TLSA records, step one is robust
monitoring, so that you're the first to know of any issues in
your DNS or certificate configurations.

    1. Regular checks of working DNSSEC and consistent across all
       primary and secondary nameservers.  Check that the returned
       DNSKEY RRsets are validated and the same across the board.
       Check that the SOA RRset validates across the board.

    2. For the intended, but not initially published TLSA records,
       check that each IP address of each MX host has certificates
       that match those TLSA records.

       If you have multiple certificates (say RSA and ECDSA), check
       that each of these matches (use the "-sigalgs" option of
       s_client, as e.g. in the "danesmtp" function I keep posting).

       Check that incorrect values of the TLSA records checked result
       in a timely alarm.

Only once you have working monitoring, consider publishing TLSA records,
for one of the MX hosts, then if all goes well the rest.

Do NOT rotate all the MX host certificates at the same time, stagger
these to avoind concurrent failure of them all.

If using Let's Encrypt avoid "3 0 1" records, use "3 1 1", and use
"danecli", "danebot", ... as already suggested upthread.

If you want (not recommended) to use Let's Encrypt "2 1 1" records, make
sure to publish the full set as explained in

    https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to