From a41a11e2149ea25776b209ace2b9d9bf3837c2cd Mon Sep 17 00:00:00 2001
From: Dennis Baaten <dennis@baaten.com>
Date: Mon, 15 Jul 2019 15:10:53 +0200
Subject: [PATCH] Update DANE-for-SMTP-how-to.md

---
 DANE-for-SMTP-how-to.md | 40 ++++++++++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md
index 3637cb1..aa983ef 100644
--- a/DANE-for-SMTP-how-to.md
+++ b/DANE-for-SMTP-how-to.md
@@ -1,16 +1,22 @@
 # Table of contents
-- [Executive Summary](#summary)
+- [Executive Summary](#executive-summary)
 - [Introduction](#introduction)
 - [What is DANE?](#what-is-dane-)
 - [Why use DANE for SMTP?](#why-use-dane-for-smtp-)
-- [Guaranteeing a valid TLSA record](#guaranteeing-a-valid-tlsa-record)
+  * [DANE explained by illustrations](#dane-explained-by-illustrations)
+    + [Mail delivery: TLS without DANE](#mail-delivery--tls-without-dane)
+    + [Mail delivery: TLS with MITM using evil certificate](#mail-delivery--tls-with-mitm-using-evil-certificate)
+    + [Mail delivery: TLS with MITM using evil certificate](#mail-delivery--tls-with-mitm-using-evil-certificate-1)
+    + [Mail delivery: TLS with DANE](#mail-delivery--tls-with-dane)
+- [Reliable certificate rollover](#reliable-certificate-rollover)
+  * [Current + next details](#current---next-details)
 - [Tips, tricks and notices for implementation](#tips--tricks-and-notices-for-implementation)
-- [Outbound e-mail traffic (DNS records)](#outbound-e-mail-traffic--dns-records-)
+- [Inbound e-mail traffic (publishing DANE DNS records)](#inbound-e-mail-traffic--publishing-dane-dns-records-)
   * [Generating DANE records](#generating-dane-records)
   * [Publishing DANE records](#publishing-dane-records)
   * [Generating DANE roll-over records](#generating-dane-roll-over-records)
   * [Publishing DANE roll-over records](#publishing-dane-roll-over-records)
-- [Implementing DANE for SMTP on Postfix (inbound e-mail traffic)](#implementing-dane-for-smtp-on-postfix--inbound-e-mail-traffic-)
+- [Implementing DANE for SMTP on Postfix (inbound & outbound e-mail traffic)](#implementing-dane-for-smtp-on-postfix--inbound---outbound-e-mail-traffic-)
   * [Configuring Postfix](#configuring-postfix)
 - [Implementing DANE for SMTP on Exim (inbound & outbound e-mail traffic)](#implementing-dane-for-smtp-on-exim--inbound---outbound-e-mail-traffic-)
   * [Configuration for inbound e-mail traffic](#configuration-for-inbound-e-mail-traffic)
@@ -53,6 +59,24 @@ DANE addresses these shortcomings because:
 * This allows sending mail servers to unconditionally require STARTTLS with a matching certificate chain. Otherwise, the sending mail server aborts the connection and tries another server or defers the message.
 * Receiving servers with published TLSA records, are therefore no longer vulnerable to "STARTTLS stripping".
 
+## DANE explained by illustrations
+### Mail delivery: TLS without DANE
+The illustration below shows two TLS capable e-mail servers without using DANE.
+![](dane-example-1-no-dane.png)
+
+### Mail delivery: TLS with MITM using evil certificate 
+The illustration below shows what happens when an attacker performs a man in the middle (MITM) attack and inserts its own certificate into the connection process.
+![](dane-example-1-evilcert.png)
+
+### Mail delivery: TLS with MITM using evil certificate 
+The illustration below shows what happens when an attacker performs a man in the middle (MITM) attack and forces an unsecure connection by stripping the TLS capability from the receiving e-mail server. 
+![](dane-example-1-striptls.png)
+
+### Mail delivery: TLS with DANE
+The illustration below shows how the use of DANE can protect against man in the middle (MITM) attacks by addressing the shortcomings of TLS without DANE.
+![](dane-example-1-with-dane.png)
+
+
 # Reliable certificate rollover
 It is a good practice to replace certificates and keys from time to time, but this need not and should not disrupt email delivery even briefly.
 * Since a single TLSA record is tied to a particular certificate or (public) key, the TLSA records that match a server's certificate chain also change from time to time.
@@ -102,8 +126,8 @@ This section describes several pionts for attention when implementing DANE for S
 * Implement monitoring of your DANE records to be able to detect problems as soon as possible. 
 * Make sure your implementation supports the usage of a CNAME in your MX record. There are some inconsistencies between multiple RFC's. According to [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) a CNAME in MX records is not allowed, while [RFC 7671](https://tools.ietf.org/html/rfc7671#section-7) and [RFC 5321](https://tools.ietf.org/html/rfc5321#section-5.1) imply that the usage of a CNAME in MX records is allowed.
 
-# Outbound e-mail traffic (DNS records)
-This part of the how-to describes the steps that should be taken with regard to your outbound e-mail traffic. This enables other parties to use DANE for validating the certificates offered by your e-mail servers. 
+# Inbound e-mail traffic (publishing DANE DNS records)
+This part of the how-to describes the steps that should be taken with regard to your inbound e-mail traffic, which primairily involves publishing DANE DNS records. This enables other parties to use DANE for validating the certificates offered by your e-mail servers. 
 
 ## Generating DANE records
 **Primary mail server (mail1.example.nl)**
@@ -178,7 +202,7 @@ With this information we can create a rollover DNS record for DANE:
 > _25._tcp.mail.example.nl. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde  
 > _25._tcp.mail2.example.nl. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
 
-# Implementing DANE for SMTP on Postfix (inbound e-mail traffic)
+# Implementing DANE for SMTP on Postfix (inbound & outbound e-mail traffic)
 
 **Specifics for this setup**
 * Linux Debian 9.8 (Stretch) 
@@ -238,7 +262,7 @@ In Exim you should configure TLS by adding the following to **main/03_exim4-conf
     tls_privatekey = /path/to/private.key
 
 ## Configuration for outbound e-mail traffic
-This part of the how-to describes the steps that should be taken with regard to your outbound e-mail traffic. This enables other parties to use DANE for validating the certificates offered by your e-mail servers. 
+This part of the how-to describes the steps that should be taken with regard to your outbound e-mail traffic. This enables your e-mail environment to use DANE for validating the certificates offered by other e-mail servers. 
 
 ### DNSSEC validating resolvers
 Make sure to configure DNSSEC validating resolvers on the mail server. When using the locale systemd resolver, make sure to add the following to **/etc/systemd/resolved.conf**.