mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-11-25 12:31:36 +01:00
Updated DANE How to (markdown)
This commit is contained in:
parent
79d74bd4c8
commit
ffd964b47e
@ -48,12 +48,10 @@ We use the provided bundle file for generating the DANE hashes belonging to the
|
|||||||
For each file we view the **subject** and the **issuer**. We start with the first file using `openssl x509 -in bundlecert.1.crt -noout -subject -issuer`. This results in the following output.
|
For each file we view the **subject** and the **issuer**. We start with the first file using `openssl x509 -in bundlecert.1.crt -noout -subject -issuer`. This results in the following output.
|
||||||
|
|
||||||
> subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
|
> subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
|
||||||
|
|
||||||
> issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
|
> issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
|
||||||
|
|
||||||
For the second file we use `openssl x509 -in bundlecert.2.crt -noout -subject -issuer`. This results in the following output.
|
For the second file we use `openssl x509 -in bundlecert.2.crt -noout -subject -issuer`. This results in the following output.
|
||||||
> subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
|
> subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
|
||||||
|
|
||||||
> issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
|
> issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
|
||||||
|
|
||||||
Based on the information of these two certificates, we can conclude that the second certificate (bundlecert.2.crt) is the root certificate; since root certificates are self-signed the **subject** and the **issuer** are the same. The other certificate (bundlecert.1.crt) is an intermediate certificate which is (in this case) signed by the root certificate.
|
Based on the information of these two certificates, we can conclude that the second certificate (bundlecert.2.crt) is the root certificate; since root certificates are self-signed the **subject** and the **issuer** are the same. The other certificate (bundlecert.1.crt) is an intermediate certificate which is (in this case) signed by the root certificate.
|
||||||
@ -74,7 +72,14 @@ With this information we can create a rollover DNS record for DANE:
|
|||||||
> _25._tcp.mail.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
|
> _25._tcp.mail.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
|
||||||
> _25._tcp.mail2.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
|
> _25._tcp.mail2.example.com. IN TLSA 2 1 1 c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
|
||||||
|
|
||||||
|
|
||||||
## Configuring mailserver
|
|
||||||
|
|
||||||
# Implementing DANE for inbound e-mail traffic
|
# Implementing DANE for inbound e-mail traffic
|
||||||
|
|
||||||
|
## Configuring Postfix
|
||||||
|
Postfix plays an important role in using DANE when available.
|
||||||
|
|
||||||
|
Make sure the following entries are present in **/etc/postfix/main.cf**
|
||||||
|
> smtp_dns_support_level = dnssec
|
||||||
|
> smtp_tls_security_level = dane
|
||||||
|
> smtp_host_lookup = dns
|
||||||
|
> smtp_tls_note_starttls_offer = yes
|
||||||
|
> smtpd_tls_CAfile = /path/to/ca-bundle-file.crt
|
||||||
|
Loading…
Reference in New Issue
Block a user