HackerTrans
トップ新着トレンドコメント過去質問紹介求人

lquidfire

no profile record

投稿

Announce: SMTP DANE Verify – self-monitor your DANE policy

github.com
3 ポイント·投稿者 lquidfire·7 か月前·1 コメント

コメント

lquidfire
·7 か月前·議論
Mail server admins might (will? should?) have heard of DANE. DANE (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions) are complementary security protocols that work together to secure internet communications, especially email.

In the hopes of bringing more awareness to DANE, and how to implement (and monitor, which is key!) DANE on large and small mail servers, the friendly folks at sys4.de have published a tool to help monitoring DANE.

May DANE spread far and wide - and may your self-signed certificates be verified and trusted via your DNSSEC-authenticated DNS records!

From a post by Patrick Ben Koetter to the DANE mailing list at sys4.de [0]:

Greetings!

Our this year's Christmas gift to the community is a service that let’s you monitor and detect typical DANE related problems for DANE-enabled inbound SMTP services. You can integrate the service in your own service environment or run it as a docker container and poll it for test results from a monitoring service.

## Why? We believe every platform should enable and use DANE. DANE is the missing piece in TLS or as Wietse Venema once put it: „Encryption without authentication is not 'security'. It just gives some privacy.“ DANE adds the missing authentication bit. But DANE enforces strict policy and if your platform fails inbound DANE-verification you will not receive email from those platforms that enforce outbound DANE-verification. A failing DANE policy imposes a production risk.

## Why would your platform fail DANE verification? From discussions with Viktor about the statistics he generates at https://stats.dnssec-tools.org/#/ we know that in most cases, when DANE-enabled platforms fail DANE-verification, it is because the published TLSA resource record(s) in DNS do not match one of the x509 certificate's fingerprint.

We want everybody to benefit from the security DANE adds to TLS and not have people look at it as a production risk! This is why we built the SMTP DANE Verify service. It will test and detect common DANE policy problems. Using SMTP DANE Verify everybody will be able to monitor their own (and other) domains and raise an alarm in case the tested domain fails DANE verification.

## How would you use SMTP DANE Verify? If you think SMTP DANE Verify is for you check out the project at https://github.com/sys4/smtp-dane-verify. The project's README should give you all the information you need to setup, run and integrate SMTP DANE Verify on your platform.

On a sidenote: In case you are still in doubt if anyone should be using DANE at all: the EU has launched a Multi-Stakeholder Working Group for Internet Standards in the EU and DANE is a major item on the groups roadmap. Follow this link to read more: https://digital-strategy.ec.europa.eu/en/news/european-commi......

And that's it! We hope you will find it as useful as we do. Season greetings to all of you. Peace on earth to all of us. o:)

p@rick

[0]: https://list.sys4.de/hyperkitty/list/[email protected]...
lquidfire
·8 か月前·議論
Cool project! I take it the goal is that, overhead being acceptable, most C / C++ programmes don't actually "have to be" rewritten in something like Rust?

I wonder how / where Epic Games comes in?
lquidfire
·11 か月前·議論
> The upcoming email hosting service from Thunderbird will support IMAP, SMTP and JMAP out of the box

Ahh, will Thunderbird finally see full JMAP support? Hooray!

For the self-hosters (other than those using Stallwart):

Cyrus does, of course, support JMAP (it's what Fastmail uses); Dovecot has apparently no interest / no manpower to really implement it themselves, but are willing to take a contribution[0].

One day I am going to configure Cyrus just for JMAP.

[0]: https://dovecot.org/mailman3/archives/list/[email protected]...