Git/email-toolbox-wiki
1
0
Fork 0
mirror of https://github.com/internetstandards/toolbox-wiki.git synced 2024-11-21 18:41:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update DANE-for-SMTP-how-to.md

Browse Source
This commit is contained in:
Dennis Baaten 2019-08-25 22:01:20 +02:00 committed by GitHub
parent fcc2300b97
commit ef7a49befb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
DANE-for-SMTP-how-to.md
View File

@ -8,6 +8,7 @@ This how-to is created by the Dutch Internet Standards Platform (the organizatio
- Robust automation of coordinated DNS and email server certificate chain updates.
- These topics will be covered in more detail in this how-to.
* Please plan carefully and then deploy DANE for your email servers. Botched deployments not not only harm the domain in question, but also have a deterrent effect on adoption by others.
* For more information on adoption statistics and software support, take a look at: [https://github.com/baknu/DANE-for-SMTP/wiki](https://github.com/baknu/DANE-for-SMTP/wiki)
# Table of contents
- [What is DANE?](#what-is-dane-)
@ -152,7 +153,7 @@ Make sure that your servers support TLS 1.2, and offer STARTTLS to all clients,
# Tips, tricks and notices for implementation
This section describes several pionts for attention when implementing DANE for SMTP.
* The TLSA record is used for the MX domain. So if your using another domain's nameserver, make sure to ask the administrator of that other domain to support DANE.
* DANE is meant to be used for the MX domain. So if you are using another domain's mail server, make sure to ask the administrator of that domain to support DANE by setting up a TLSA record.
* Make sure that DNSSEC is implemented properly. A lot of DANE breakage stems from receiving/recipient domains with broken DNSSEC implementation.
* Purchasing of expensive certificates for mail server has no to little added value for the confidentiality since mail server don't validate certificates by default. Depending on the context there can be other advantages which makes organizations decide to use specific certificates.
* It is recommended to use a certificates public key for generating a TLSA signature (selector type "1") instead of the full certificate (selector type "0"), because this enables the reuse of key materials. Notice that the use of Forward Secrecy decreases the need to use a new key-pair on every occasion.