I'm looking for some answers/clarification to various advantages of DANE
vs normal MTA security and opportunistic TLS....
I'm only talking about MTA - Mail Transport Agents, software that
transfers e-mail from one Mail Agent to another - eg exim, postfix - etc.
I know Viktor (amongst others) lurks here....
Without DANE/TLSA records.
-------------------
(1) When two Mail Servers talk and discover (opportunistically) that
they can both talk SSL/TLS, does the Sender ever check the Receivers
Certificate to make sure that Primary or Alternative names match the
Receiving Server it is trying to connect to?
i.e. a Man-in-the-middle attack could also be using SSL/TLS Certificates
(from anywhere), copy the email, then forward it on. I always told this
part of the story with the Man-in-the-middle forcing the conversation to
clear text.
(In DANE, the DNS/Mail/Security manager basically circumvents this need
by putting in matching TLSA in the (DNSSEC signed) DNS along with the
appropriate SSL/TLS Certificate in the Mail Servers config.)
-------------------
(2) If I listen on port 465, should I also have a TLSA record for that
port as well? e.g.
_465._tcp.mail.mydomain.tld. IN TLSA 3 1 1 2A1492F9....
-------------------
(3) What makes a Sending mail server ever connect to port 465 of a
receiving mail server, except the obvious of some sort of static
configuration?
-------------------
With DANE:
(4) When running an ISP environment, single Mail Server with its own
SSL/TLS Certificate, lots of virtual users with their own (Other)
Domains, the Main Mail server has (I would think) just one SSL/TLS
Certificate - presumable matching "mail.myisp.tld". Matching TLSA in the
(secured) DNS. No problem for "DANE" styled e-mail to be sent to
"user@???".
The many Other Domains can have a CNAME "mail.myname.tld" that points to
"mail.myisp.tld".
Do the Other Domains have to be DNSSEC Signed? Ideally - I'd get
everything signed. Will this work "DANE" style though if the hundreds of
virtual domains don't have DNSSEC?
I personally think it _should_ work - but don't know. (Have not yet got
Exim to speak DANE, or found the HowTo which describes this).
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
