Git/email-toolbox-wiki
1
0
Fork 0
mirror of https://github.com/internetstandards/toolbox-wiki.git synced 2025-11-03 23:35:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated DANE How to (markdown)

Browse Source
This commit is contained in:
Dennis Baaten
2019-04-12 18:55:02 +02:00
parent 79d74bd4c8
commit ffd964b47e
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
DANE-How-to.md
View File

@@ -39,7 +39,7 @@ Now that we have the SHA-256 hashes, we can construct the DNS records. We make t
With this information we can create the DNS record for DANE:
> _25._tcp.mail.example.com. IN TLSA 3 1 1 29c8601cb562d00aa7190003b5c17e61a93dcbed3f61fd2f86bd35fbb461d084
> _25._tcp.mail.example.com. IN TLSA 3 1 1 29c8601cb562d00aa7190003b5c17e61a93dcbed3f61fd2f86bd35fbb461d084
> _25._tcp.mail2.example.com. IN TLSA 3 1 1 22c635348256dc53a2ba6efe56abfbe2f0ae70be2238a53472fef5064d9cf437
## Generating DANE roll-over records
@@ -47,13 +47,11 @@ We use the provided bundle file for generating the DANE hashes belonging to the
For each file we view the **subject** and the **issuer**. We start with the first file using `openssl x509 -in bundlecert.1.crt -noout -subject -issuer`. This results in the following output.
> subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
> subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
> issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
For the second file we use `openssl x509 -in bundlecert.2.crt -noout -subject -issuer`. This results in the following output.
> subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
> subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
> issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Based on the information of these two certificates, we can conclude that the second certificate (bundlecert.2.crt) is the root certificate; since root certificates are self-signed the **subject** and the **issuer** are the same. The other certificate (bundlecert.1.crt) is an intermediate certificate which is (in this case) signed by the root certificate.
@@ -71,10 +69,17 @@ Now that we have the SHA-256 hash, we can construct the DANE roll-over DNS recor
* Matching-type field is "**1**"; because we use SHA-256.
With this information we can create a rollover DNS record for DANE:
> _25._tcp.mail.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
> _25._tcp.mail.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
> _25._tcp.mail2.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
## Configuring mailserver
# Implementing DANE for inbound e-mail traffic
## Configuring Postfix
Postfix plays an important role in using DANE when available.
Make sure the following entries are present in **/etc/postfix/main.cf**
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
> smtp_host_lookup = dns
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_CAfile = /path/to/ca-bundle-file.crt