Re: [dane] Meeting at IETF89 (London).

[Viktor Dukhovni <viktor1dane@dukhovni.org>]

On Thu, Jan 16, 2014 at 10:58:16AM -0500, Warren Kumari wrote:

> Hopefully they will manage to get this done in January -- once that is
> done, adding the TLSA record (and updating the documentation!) should
> be (hopefully) quick and easy...
> 
> 220 ietfa.amsl.com ESMTP Postfix
> EHLO example.com
> 250-ietfa.amsl.com
> 250-PIPELINING
> 250-SIZE 67108864
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

Recommended reading for AMSL:

    http://www.postfix.org/TLS_README.html#server_tls
    http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start

Postfix 2.11.0 has been released.  If they are in a position to
build their own package, they should consider going with that.
Otherwise, they can upgrade at a later date, when their O/S vendor
makes an updated package available.

With 2.11 they get TLS session ticket support in the Postfix
SMTP server and DANE support in the Postfix SMTP client.

Best-practice configuration:

Postfix configured for opportunistic TLS or opportunistic DANE TLS
if >= 2.11.0:

    /etc/postfix/main.cf:
	# Server TLS
	smtpd_tls_security_level = may
	smtpd_tls_loglevel = 1
	smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pem
	smtpd_tls_key_file = ${config_directory}/smtpd-key.pem
	smtpd_tls_dh1024_param_file ${config_directory}/dh2048.pem
	smtpd_tls_dh512_param_file ${config_directory}/dh512.pem

	# Client TLS: Postfix < 2.11
	smtp_tls_security_level = may
	smtpd_tls_loglevel = 1
	# In most cases do not configure a client certificate
	smtp_tls_cert_file = 
	smtp_tls_key_file =

	# Client TLS additions/changes for Postfix >= 2.11
	smtp_dns_support_level = dnssec
	smtp_tls_security_level = dane

For DANE security, a DNSSEC-validating recursive resolver is required
on the MTA machine, as the sole entry in:

  /etc/resolv.conf:
	domain amsl.com
	nameserver 127.0.0.1

-- 
	Viktor.