[dane] Postfix 2.11.0-RC2 available with feature-complete DANE support

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 10 January 2014 00:17 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3838C1AD7BE for <dane@ietfa.amsl.com>; Thu, 9 Jan 2014 16:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajKBtdp2MBNs for <dane@ietfa.amsl.com>; Thu, 9 Jan 2014 16:17:39 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 170CE1AD957 for <dane@ietf.org>; Thu, 9 Jan 2014 16:17:37 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EEE612AB173; Fri, 10 Jan 2014 00:17:26 +0000 (UTC)
Date: Fri, 10 Jan 2014 00:17:26 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140110001726.GO2317@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] Postfix 2.11.0-RC2 available with feature-complete DANE support
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 00:17:45 -0000

Postfix 2.11.0 is now in code-freeze.  With 2.11.0-RC2 the DANE
support is feature complete, and matches the DANE SMTP draft.

The official 2.11.0 release will happen in the next couple of weeks.
Test feedback welcome.

    http://www.postfix.org/TLS_README.html#client_tls_dane
    http://www.postfix.org/TLS_README.html#client_tls_policy

While I am busy with IETF drafts, some brave souls have volunteered
to contribute a more consolidated DANE_README tutorial.  I'll post
a link here when/if all goes well on that front.  Currently the
DANE related information is scattered over a few documents.

Minimal client configuration:

    Note: A DNSSEC validating resolver MUST be present on the
    LOOPBACK interface and MUST be the only resolver listed in
    /etc/resolv.conf.  Postfix delegates DNSSEC processing to the
    system's caching resolver.  A local resolver is in any case a
    good idea for an MTA that handles non-trivial mail volumes.

    /etc/resolv.conf:
	nameserver 127.0.0.1

    main.cf:
	smtp_host_lookup = dns
	smtp_dns_support_level = dnssec
	smtp_tls_security_level = dane
	ignore_mx_lookup_error = no

Recommended Server DNS configuration:

	example.com. IN MX 0 mx.example.com.

    Publish one of the two TLSA record forms below, the remaining
    22 combinations have little to recommend them:

	; Per-service EE SPKI TLSA RR:
	;
	_25._tcp.mx.example.com. IN TLSA 3 1 1 {EE SPKI SHA2-256 digest}

	or

	; Domain-wide TA CERT TLSA RR, aliased from each service:
	;
	_25._tcp.mx.example.com. IN CNAME 2.1.1._tlsa.example.com.
	2.1.1._tlsa.example.com. IN TLSA 2 0 1 {TA CERT SHA2-256 digest}

    In the second case the domain-issued TA certificate MUST be
    included in the server chain file:

	# cd /etc/postfix
	# cat ee-cert.pem intermediate.pem ... root-ta.pem > chain.pem
	# postconf -e 'smtpd_tls_security_level = may'
	# postconf -e 'smtpd_tls_cert_file = ${config_directory}/chain.pem'
	# postconf -e 'smtpd_tls_key_file = ${config_directory}/ee-key.pem'

    and the ee-cert MUST have at least one of "mx.example.com" or
    "example.com" as a DNS subjectAltName or subject commonName.

    Avoid wildcard certs, they may allow MITM attackers to redirect
    connections to the wrong hosts.

See http://www.postfix.org/FORWARD_SECRECY_README.html for additional
server TLS tuning.

-- 
	Viktor.