[dane] Postfix 2.11.0-RC2 available with feature-complete DANE support
Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 10 January 2014 00:17 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3838C1AD7BE for <dane@ietfa.amsl.com>; Thu, 9 Jan 2014 16:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajKBtdp2MBNs for <dane@ietfa.amsl.com>; Thu, 9 Jan 2014 16:17:39 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 170CE1AD957 for <dane@ietf.org>; Thu, 9 Jan 2014 16:17:37 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EEE612AB173; Fri, 10 Jan 2014 00:17:26 +0000 (UTC)
Date: Fri, 10 Jan 2014 00:17:26 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140110001726.GO2317@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dane] Postfix 2.11.0-RC2 available with feature-complete DANE support
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 00:17:45 -0000
Postfix 2.11.0 is now in code-freeze. With 2.11.0-RC2 the DANE support is feature complete, and matches the DANE SMTP draft. The official 2.11.0 release will happen in the next couple of weeks. Test feedback welcome. http://www.postfix.org/TLS_README.html#client_tls_dane http://www.postfix.org/TLS_README.html#client_tls_policy While I am busy with IETF drafts, some brave souls have volunteered to contribute a more consolidated DANE_README tutorial. I'll post a link here when/if all goes well on that front. Currently the DANE related information is scattered over a few documents. Minimal client configuration: Note: A DNSSEC validating resolver MUST be present on the LOOPBACK interface and MUST be the only resolver listed in /etc/resolv.conf. Postfix delegates DNSSEC processing to the system's caching resolver. A local resolver is in any case a good idea for an MTA that handles non-trivial mail volumes. /etc/resolv.conf: nameserver 127.0.0.1 main.cf: smtp_host_lookup = dns smtp_dns_support_level = dnssec smtp_tls_security_level = dane ignore_mx_lookup_error = no Recommended Server DNS configuration: example.com. IN MX 0 mx.example.com. Publish one of the two TLSA record forms below, the remaining 22 combinations have little to recommend them: ; Per-service EE SPKI TLSA RR: ; _25._tcp.mx.example.com. IN TLSA 3 1 1 {EE SPKI SHA2-256 digest} or ; Domain-wide TA CERT TLSA RR, aliased from each service: ; _25._tcp.mx.example.com. IN CNAME 2.1.1._tlsa.example.com. 2.1.1._tlsa.example.com. IN TLSA 2 0 1 {TA CERT SHA2-256 digest} In the second case the domain-issued TA certificate MUST be included in the server chain file: # cd /etc/postfix # cat ee-cert.pem intermediate.pem ... root-ta.pem > chain.pem # postconf -e 'smtpd_tls_security_level = may' # postconf -e 'smtpd_tls_cert_file = ${config_directory}/chain.pem' # postconf -e 'smtpd_tls_key_file = ${config_directory}/ee-key.pem' and the ee-cert MUST have at least one of "mx.example.com" or "example.com" as a DNS subjectAltName or subject commonName. Avoid wildcard certs, they may allow MITM attackers to redirect connections to the wrong hosts. See http://www.postfix.org/FORWARD_SECRECY_README.html for additional server TLS tuning. -- Viktor.
- [dane] Postfix 2.11.0-RC2 available with feature-… Viktor Dukhovni
- Re: [dane] Postfix 2.11.0-RC2 available with feat… Viktor Dukhovni