From 264f2f35ebd23cc9119716be827a39eb92ed671d Mon Sep 17 00:00:00 2001 From: Dennis Baaten Date: Sat, 3 Aug 2019 23:51:44 +0200 Subject: [PATCH] Update DANE-for-SMTP-how-to.md --- DANE-for-SMTP-how-to.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md index 5d1dbe5..40ed795 100644 --- a/DANE-for-SMTP-how-to.md +++ b/DANE-for-SMTP-how-to.md @@ -1,13 +1,11 @@ -# Table of contents -- [Table of contents](#table-of-contents) - [Executive Summary](#executive-summary) - [Introduction](#introduction) - [What is DANE?](#what-is-dane-) - [Why use DANE for SMTP?](#why-use-dane-for-smtp-) - * [DANE explained by illustrations](#dane-explained-by-illustrations) + * [Advantages of DANE explained by illustrations](#advantages-of-dane-explained-by-illustrations) + [Mail delivery: TLS without DANE](#mail-delivery--tls-without-dane) + [Mail delivery: TLS with MITM using evil certificate](#mail-delivery--tls-with-mitm-using-evil-certificate) - + [Mail delivery: TLS with MITM using evil certificate](#mail-delivery--tls-with-mitm-using-evil-certificate-1) + + [Mail delivery: TLS with MITM stripping TLS](#mail-delivery--tls-with-mitm-stripping-tls) + [Mail delivery: TLS with DANE](#mail-delivery--tls-with-dane) - [Reliable certificate rollover](#reliable-certificate-rollover) * [Current + next details](#current---next-details) @@ -27,7 +25,7 @@ + [DNSSEC validating resolvers](#dnssec-validating-resolvers) + [Configure DNSSEC validation in Exim](#configure-dnssec-validation-in-exim) + [Configure DANE](#configure-dane) -- [Implementing DANE for SMTP using Halon (inbound & outbound e-mail traffic)](#implementing-dane-for-smtp-using-halon--inbound---outbound-e-mail-traffic-) +- [Implementing DANE for SMTP on Halon (inbound & outbound e-mail traffic)](#implementing-dane-for-smtp-on-halon--inbound---outbound-e-mail-traffic-) * [Generic configuration](#generic-configuration) + [Install or generate key pair](#install-or-generate-key-pair-1) + [DNSSEC](#dnssec) @@ -71,7 +69,7 @@ DANE addresses these shortcomings because: * This allows sending mail servers to unconditionally require STARTTLS with a matching certificate chain. Otherwise, the sending mail server aborts the connection and tries another server or defers the message. * Receiving servers with published TLSA records, are therefore no longer vulnerable to "STARTTLS stripping". -## DANE explained by illustrations +## Advantages of DANE explained by illustrations ### Mail delivery: TLS without DANE The illustration below shows two TLS capable e-mail servers without using DANE. ![](dane-example-1-no-dane.png)