Updated DANE how to (markdown)

This commit is contained in:
Dennis Baaten 2019-04-12 22:39:44 +02:00
parent f7c82edcf2
commit 8f3f2aa578

View File

@ -75,11 +75,18 @@ With this information we can create a rollover DNS record for DANE:
# Implementing DANE for inbound e-mail traffic # Implementing DANE for inbound e-mail traffic
## Configuring Postfix ## Configuring Postfix
Postfix plays an important role in using DANE when available. Postfix plays an important role in using DANE for validating the when available.
Make sure the following entries are present in **/etc/postfix/main.cf** Make sure the following entries are present in **/etc/postfix/main.cf**
> smtp_dns_support_level = dnssec > smtp_dns_support_level = dnssec
This setting tells Postfix to perform DNS lookups using DNSSEC. This is an important prerequisite for DANE to be effective, since regular DNS lookups can be manipulated.
> smtp_tls_security_level = dane > smtp_tls_security_level = dane
The "dane" level is a stronger form of opportunistic TLS that is resistant to man in the middle and downgrade attacks when the destination domain uses DNSSEC to publish DANE TLSA records for its MX hosts. If a remote SMTP server has "usable" (see section 3 of RFC 7672) DANE TLSA records, the server connection will be authenticated. When DANE authentication fails, there is no fallback to unauthenticated or plaintext delivery.
The Postfix SMTP client supports only certificate usages "2" and "3".
> smtp_host_lookup = dns > smtp_host_lookup = dns
> smtp_tls_note_starttls_offer = yes > smtp_tls_note_starttls_offer = yes
> smtpd_tls_CAfile = /path/to/ca-bundle-file.crt > smtpd_tls_CAfile = /path/to/ca-bundle-file.crt