Update DANE-for-SMTP-how-to.md

This commit is contained in:
Dennis Baaten 2019-08-08 12:21:39 +02:00 committed by GitHub
parent 264f2f35eb
commit 3643e336b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -86,6 +86,8 @@ The illustration below shows what happens when an attacker performs a man in the
The illustration below shows how the use of DANE can protect against man in the middle (MITM) attacks by addressing the shortcomings of TLS without DANE. The illustration below shows how the use of DANE can protect against man in the middle (MITM) attacks by addressing the shortcomings of TLS without DANE.
![](dane-example-1-with-dane.png) ![](dane-example-1-with-dane.png)
### Mail delivery: TLS with DANE without DNSSEC
Although guaranteeing reliable DNS resolving is actually an advantage of DNSSEC, it is still worth mentioning here. Notice that in the example above (TLS with DANE) the lack of DNSSEC would make it possible for an attacker to alter DNS responses (2 and 4). Such an attack can be used to trick the sender into sending e-mail to a rogue e-mail server.
# Reliable certificate rollover # Reliable certificate rollover
It is a good practice to replace certificates and keys from time to time, but this need not and should not disrupt email delivery even briefly. It is a good practice to replace certificates and keys from time to time, but this need not and should not disrupt email delivery even briefly.