On Tue, Jun 02, 2015 at 11:17:55AM +0200, Per Thorsheim wrote:
> Quite a bit of useful info at sys4.de, but in German. Found this english
> translation as a rather quick guide for parts of the process:
> http://noflex.org/implementing-dnssec-dane-email-step-step/
A few comments:
1. Key generation:
Original:
mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl
openssl req -new -newkey rsa:1024 -days 9999 -nodes -x509 -keyout
server.pem -out server.pem
postconf -e "smtpd_tls_security_level = may"
postconf -e "smtpd_tls_key_file = /etc/postfix/ssl/server.pem"
postconf -e "smtpd_tls_cert_file = /etc/postfix/ssl/server.pem"
Better, set the umask to 077 to protect the private key, and use a 2048-bit
RSA key.
Avoid potential problems with using the same file as both the key and cert
output file:
umask 077
mkdir -p /etc/postfix/ssl
cd /etc/postfix/ssl
openssl req -new -newkey rsa:2048 -days 7305 -nodes -x509 -keyout
/dev/stdout >> server.pem
postconf -e "smtpd_tls_cert_file = /etc/postfix/ssl/server.pem"
postconf -e "smtpd_tls_key_file = /etc/postfix/ssl/server.pem"
postconf -e "smtpd_tls_security_level = may"
2. Correction:
Original:
in this state, a sending server can encrypt the transmission,
but it can not verify the self-signed server certificate, so
it will treat the TLS connection as anonymous:
postfix/smtp[13330]: Anonymous TLS connection established to
mail.example.com[...]:25: TLSv1.2 with cipher AECDH-AES256-SHA
(256/256 bits)
The reason you see "anonymous" is not because unverified peers
are treated as "anonymous", but rather because in fact an anonymous
ciphersuite is negotiated, and no certificate is sent by the server.
This happens when TLS is opportunistic (security level "may") and
both sides support anonymous ciphers.
3. TLSA record generation:
Original:
# openssl x509 -in /etc/postfix/ssl/server.pem -outform DER | openssl
sha256
(stdin)=
02059728e52f9a58a235584e1ed70bd2b51a44024452ec2ba0166e8fb1d1d32b
Better, the recommended TLSA record parameters are "DANE-EE(3)
SPKI(1) SHA2-256(1)" or simply "3 1 1". This means that the
record publishes a digest of the public key along, not the
containing certificate. Therefore, the right command to extract
the digest is:
# openssl x509 -in /etc/postfix/ssl/server.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02X"
Correspondingly, the TLSA record should be "3 1 1" not "3 0 1"
as mentioned before.
The www.tlsa.info site has been superseded by "https://dane.sys4.de";
4. Stress more strongly the need for a VALIDATING LOCAL resolver on
a sending Postfix system that supports DANE.
/etc/resolv.conf:
; DO NOT list remote nameservers
nameserver 127.0.0.1
Deploy unbound or BIND with suitable trust-anchor material for
the root zone AND automated updates to keep these up to date
when the root keys are rotated some day.
--
Viktor.
