homebox icon indicating copy to clipboard operation
homebox copied to clipboard
verified publisher icon progmaticltd

Add DANE support for the mail server

Open arodier opened this issue 6 years ago • 7 comments

DANE is DNS-based Authentication of Named Entities.

It is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

arodier avatar Apr 13 '19 19:04 arodier

This seems to be a good start: https://www.internetsociety.org/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/ However, it seems more cumbersome than mta-sts

arodier avatar Oct 15 '19 20:10 arodier

The Internet.nl toolbox wiki looks like a good resource for DANE support:

fredericmoulins avatar May 10 '20 16:05 fredericmoulins

It seems like I have successfully implemented DANE for the mail server.

dane It needs further testing in order to write a manual but looks promising. However, DANE does require correctly configured DNSSEC since the former relies on the latter.

sorcer1122 avatar Jun 03 '20 07:06 sorcer1122

Hello @sorcer1122. Great, if you submit a PR, we can check the code. I will invite you to the other repositories, this will give you the framework for local testing.

arodier avatar Jun 03 '20 07:06 arodier

My problem is I have never done any collaboration on github, so it will take me a while to write a code and submit a PR. However, the code should not be very long, it seemed to be a simple process.

sorcer1122 avatar Jun 03 '20 07:06 sorcer1122

OK I have faced the following issue. One needs to add new DNS record in order for DANE to work - TLSA where one should add SHA-256 hash of the Letsencrypt certificates. Since LE certificates are updated once every 90 days, the hash will change, so it is recommended to add two TLSA records - one for the current certificate and one for the root certificate (roll-over record). I used this one - https://letsencrypt.org/certs/isrgrootx1.pem.txt

Now, my certificates updated and for some reason DANE stopped working until I calculate new hash, amended both TLSA records and re-signed the whole zone (luckily, there is a script for this). Now trying to understand how to automate this process.

sorcer1122 avatar Jun 13 '20 21:06 sorcer1122

There are some hooks, in the LetsEncrypt hooks folder, we are using, that you can take as a sample. For instance, since the jabber server requires a bundle with the certificate and the private key into one pem file, this file is created on each renewal, bu a custom script. Perhaps you can do everything in one bash script, for instance updating the DNS records in the local bind server. This suppose we are using the internal bind DNS server, of course.

arodier avatar Jun 14 '20 04:06 arodier

I am testing a fix, in the associated branch. I will see how it is behaving on a live system.

progmaticltd avatar Feb 07 '24 07:02 progmaticltd

Results so far:

  • https://dane.sys4.de/smtp/rodier.me
  • https://dane.sys4.de/smtp/homebox.space

progmaticltd avatar Feb 07 '24 07:02 progmaticltd

This is now implemented, ping me if you have any question.

progmaticltd avatar Feb 14 '24 19:02 progmaticltd