Dear Viktor, dear Bernhard,
On 09/26/18 09:37, Viktor Dukhovni wrote: >> On Sep 26, 2018, at 2:57 AM, Bernhard Schmidt wrote: >> >> Large parts of the german universities now use the DFN MailSupport >> (= inbound mailrelaying and filtering by DFN). The MX records are >> in mx.srv.dfn.de, which is not signed (whole dfn.de is not signed). >> So you can have your own zone DNSSEC enabled, but not the one with >> the MX. > > Good to know. Thanks. Yes, that is what I meant. Bernhard, thank you for answering and clarifying that. >> I heard they are working on this. This is also a blocker of our >> project to have DANE-secured SMTP transport for all bavarian >> universities. > > I wish them luck (really sound planning and execution, luck has > little to do with it). Unfortunately, to my knowledge, it’s not high on their to-do list. Only a few of their clients have requested this feature explicitly. I’ll work on raising awareness. Bernhard, all the Bavarian institutions should open a support ticket at the DFN mail support. It’s my understanding, that this would influence the priority. > I also hope that the plan includes securing the downstream hop from > the DFN gateway to the client institution, unless DFN is also > providing IMAP, Webmail, ... I do not know, how the downstream hop is secured currently. Either hard coding the IP address of the MTA, using certificates or just DANE would be feasible. We should do that for our mail system. Thank you for the reminder. For the record, the DFN network has it’s own network infrastructure with “cables” and network gear operated over Germany, so it’s not easy for somebody “from the Internet” to eaves drop [1][2]. Common methods for securing the transfer should be used nevertheless. Kind regards, Paul [1]: https://www.dfn.de/xwin/faserplattform/ [2]: https://www.dfn.de/fileadmin/1Dienstleistungen/XWIN/Topologie.pdf
smime.p7s
Description: S/MIME Cryptographic Signature
