Summary: | Please use TLSA | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | James Cloos <cloos> |
Component: | Other | Assignee: | Gentoo Infrastructure <infra-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alex_y_xu, eras, tobias.pal, whissi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | tlsagen |
Description
James Cloos
2014-02-25 01:26:55 UTC
How would DANE be useful? It would enable MTAs which send to @lists.gentoo.org and @gentoo.org to verify that the mail actually makes it to the MX. And without a MitM. Even though not many support checking (postfix added it in 2.11, the current ~ version) yet, most MTAs do not link in the /etc/ssl/certs CAs, and as such will do no verifications w/o dane. And given that gentoo.org is already signed, the cost is negligible. As an aside, debian supports dane, and the ietf MXs will add it as soon as the contractor gets tls working. Which is expected to be right after the upcoming meeting. There will, I expect, over time also be a positive reputation benefit for the project in the form of evidence of security conscienceness and community leadership. I'll get there, I have promised DANE for a long time for Gentoo, I just need to work on better automating generation of the DNS records from our certs. Not just for mail, but for WWW as well. *** Bug 508756 has been marked as a duplicate of this bug. *** Created attachment 375766 [details]
tlsagen
Attached is the script I use to generate the TLSA records for MX hosts (courtesy of Victor Duchovni of postfix).
$ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256
_25._tcp.mail.example.com IN TLSA 3 1 1 {hex string}
where "cert.pem" is the file with the SMTP server certificate, and $(uname -n) is the fully-qualified domain name of the server as an MX host for your domain.
The shell script expects OpenSSL 1.0.0 or later, and will not work
with earlier versions.
When rotating keys, publish both the new and old TLSA records well in advance.
Adjust as needed for https. Hope it helps.
While DANE/TLSA is available for gentoo.org, forums.gentoo.org or gitweb.gentoo.org, it is not available for wiki.gentoo.org and bugs.gentoo.org. Can you please have a look? TLSA implemented everywhere, please open new bugs for any missing parts you see |