On Wed, Sep 18, 2013 at 03:27:14PM +0200, Stefan Foerster wrote:
> I'm not sure it this is the right place to ask, so if it's not, feel
> free to tell me.
This is Postfix related.
> I configured DANE TLSA RRs for incertum.net, port 25 a few days ago,
> but until now, the only "test" I could perform was bootstrapping a
> recent Postfix snapshot and the latest OpenSSL and send myself a
> message from this test installation - which is by no means a real
> interoperability test.
DANE TLSA certificate checks (unlike testing access permissions)
are not depending on the client IP address or other origin-dependent
features. So your test is quite sufficient.
> Does someone know of any sites that either provide reflector like
> services, verifying the sender's TLSA records, or perhaps a web based
> verifier for TLSA RRs?
Ralf's python.org mailing list MTA is DANE TLSA enabled, but it is
definitely not intended to be a test server. If you are subscribed
to one of the python lists, and still receiving email, that's another
data point.
I ran posttls-finger from my laptop, and got:
$ posttls-finger -t30 -T180 -c -L verbose,summary incertum.net
...
posttls-finger: using DANE RR: _25._tcp.mail.incertum.net IN TLSA 3 1 1
BD:52:FE:11:E0:F9:14:00:91:13:40:80:5F:4B:B7:A5:5C:8F:17:17:E8:AD:F2:2A:A0:72:E3:7B:68:33:6B:B6
...
posttls-finger: Verified TLS connection established to
mail.incertum.net[78.47.238.14]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
So you're all set.
> And while we are at it, one more question, slightly unrelated:
> draft-dukhovni-dane-ops-01 does not mention MSAs. Is it commonly
> expected that user agents will not support TLSA RRs?
You should be looking at the SMTP draft, not the OPS draft. I
think It is unlikely that MUAs will lead DANE adoption. Once major
MTA and MSA operators field DANE, MUAs may gradually also adopt
DANE, especially once they adopt SRV-record based zeroconf (for
otherwise in this case TLS provides negligible MITM protection).
--
Viktor.
