On 04/12/15 17:57, Mark Elkins wrote:
> Would like to see a working config example of DANE too... ;-)
Client side, set hosts_try_dane = * on your smtp transports,
unless you have specific targets known to not work.
Server side, first get DNSSEC going. That's the hard part.
Then it's all DNS configuration - and there are several options.
If you want EE cert-usage (end-entity, meaning "the leaf
cert should match this") then records like this:
dane256ee A HOSTIPV4
_25._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
... hostname to suit, HOSTIPV4 being your actual A-record IP,
and that hash being generated by:
openssl x509 -in <CERTIFICATE-FILE> -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 \
| awk '{print $2}'
Or if you want TA cert-usage (trust-anchor, meaning "the chain should start
with a CA matching this") then
dane256ta A HOSTIPV4
_25._tcp.dane256ta TLSA 2 0 1 882be5ac06deafdc021a69daa457226153bfde6da7914813b0144b0fd31bf7ae
openssl x509 -in <CERTIFICATE-FILE> -fingerprint -sha256 -noout \
| awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
... but you do need to get that CA cert into a file which is a
pain if it's not a private-CA. I need to work up a decent method
for generating a TA-mode TLSA for a random site using a public-CA.
Duplicate TLSAs for any other ports needed apart from 25.
Other variants are possible; see rfc 6698 section 2 for
details - but pretty much only EE & TA cert-usage are
useful for SMTP.
--
Cheers,
Jeremy
