Re: [dane] Meeting at IETF89 (London).

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 17 January 2014 00:04 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505F01AC4A3 for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 16:04:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZCpmHcg6pdPG for <dane@ietfa.amsl.com>; Thu, 16 Jan 2014 16:04:16 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 482771AC85E for <dane@ietf.org>; Thu, 16 Jan 2014 16:04:15 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 175232AB191; Fri, 17 Jan 2014 00:04:02 +0000 (UTC)
Date: Fri, 17 Jan 2014 00:04:02 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140117000402.GU2317@mournblade.imrryr.org>
References: <CAHw9_iK4sY=Ogy4zMP0XQUu2K1wTDhn67ajXpGQp5iaeBDRuMw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHw9_iK4sY=Ogy4zMP0XQUu2K1wTDhn67ajXpGQp5iaeBDRuMw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Meeting at IETF89 (London).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 00:04:19 -0000

On Thu, Jan 16, 2014 at 10:58:16AM -0500, Warren Kumari wrote:

> Hopefully they will manage to get this done in January -- once that is
> done, adding the TLSA record (and updating the documentation!) should
> be (hopefully) quick and easy...
> 
> 220 ietfa.amsl.com ESMTP Postfix
> EHLO example.com
> 250-ietfa.amsl.com
> 250-PIPELINING
> 250-SIZE 67108864
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

Recommended reading for AMSL:

    http://www.postfix.org/TLS_README.html#server_tls
    http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start

Postfix 2.11.0 has been released.  If they are in a position to
build their own package, they should consider going with that.
Otherwise, they can upgrade at a later date, when their O/S vendor
makes an updated package available.

With 2.11 they get TLS session ticket support in the Postfix
SMTP server and DANE support in the Postfix SMTP client.

Best-practice configuration:

Postfix configured for opportunistic TLS or opportunistic DANE TLS
if >= 2.11.0:

    /etc/postfix/main.cf:
	# Server TLS
	smtpd_tls_security_level = may
	smtpd_tls_loglevel = 1
	smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pem
	smtpd_tls_key_file = ${config_directory}/smtpd-key.pem
	smtpd_tls_dh1024_param_file ${config_directory}/dh2048.pem
	smtpd_tls_dh512_param_file ${config_directory}/dh512.pem

	# Client TLS: Postfix < 2.11
	smtp_tls_security_level = may
	smtpd_tls_loglevel = 1
	# In most cases do not configure a client certificate
	smtp_tls_cert_file = 
	smtp_tls_key_file =

	# Client TLS additions/changes for Postfix >= 2.11
	smtp_dns_support_level = dnssec
	smtp_tls_security_level = dane

For DANE security, a DNSSEC-validating recursive resolver is required
on the MTA machine, as the sole entry in:

  /etc/resolv.conf:
	domain amsl.com
	nameserver 127.0.0.1

-- 
	Viktor.