Re: [dane] making ietf.org eat the DANE dogfood
Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 21 May 2013 22:52 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5883521F9318 for <dane@ietfa.amsl.com>; Tue, 21 May 2013 15:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.555
X-Spam-Level:
X-Spam-Status: No, score=-1.555 tagged_above=-999 required=5 tests=[AWL=-0.969, BAYES_00=-2.599, FAKE_REPLY_C=2.012, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0jLG+zkcX3E for <dane@ietfa.amsl.com>; Tue, 21 May 2013 15:52:33 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 6559221F92C5 for <dane@ietf.org>; Tue, 21 May 2013 15:52:33 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6AD8E2AAD96; Tue, 21 May 2013 22:52:32 +0000 (UTC)
Date: Tue, 21 May 2013 22:52:32 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130521225232.GB582@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <519BDB2E.90805@stpeter.im> <2375B9D3-9A93-499F-A31C-8F6CB887FA05@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] making ietf.org eat the DANE dogfood
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2013 22:52:37 -0000
On Tue, May 21, 2013 at 01:52:33PM -0700, Paul Hoffman wrote: > On May 21, 2013, at 1:38 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote: > > > I didn't see that they proposed deployment scenarios for ietf.org... > > They explain some of the operational issues that the IETF would > want to consider when making the decision to add TLSA records. Thanks for championing the drafts Paul, much appreciated. In terms of SMTP, given: ietf.org. 1800 IN MX 0 mail.ietf.org. and assuming this is a "secure" result (I am behind the wrong kind of firewalls to check just at the moment), all the IETF would have to do is publish: _25._tcp.mail.ietf.org. IN TLSA 3 1 1 <pkey_digest> after first enabling STARTTLS support on the MTA: posttls-finger: Connected to mail.ietf.org[2001:1890:123a::1:1e]:25 posttls-finger: < 220 ietfa.amsl.com ESMTP Postfix posttls-finger: > EHLO amnesiac.local posttls-finger: < 250-ietfa.amsl.com posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 67108864 posttls-finger: < 250-ETRN posttls-finger: < 250-AUTH LOGIN PLAIN posttls-finger: < 250-AUTH=LOGIN PLAIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye For some reason this MX host supports SASL (more suitable for an MSA, where one would also want TLS for PLAIN or LOGIN), but not TLS which is appropriate for an inbound MX. main.cf: smtpd_tls_cert_file = ${config_directory}/smtpd.pem smtpd_tls_security_level = may # Optional, but recommended: cache TLS sessions: scache = btree:${data_directory}/ smtpd_tls_session_cache_database = ${scache}smtpd_scache The cert can be self-signed. Just a couple of minutes of admin time and "postfix reload". makecert.sh: #! /bin/sh umask 077 tmp=$(mktemp .smtpd.pem.XXXXXX) dst=smtpd.pem openssl req -new >> $tmp \ -newkey rsa:2048 -nodes -keyout /dev/stdout \ -x509 -sha1 -set_serial 1 -subj "/" -days 3650 \ -config <(printf "[req]\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n" \ "$(printf "%s\n%s\n" \ "distinguished_name=dn" \ "x509_extensions=exts")" \ "$(printf "%s\n%s\n" \ "extendedKeyUsage=serverAuth,clientAuth" \ "subjectAltName=@alts" \ )" \ "$(printf "DNS.1 = %s\n" $(uname -n))") && mv $tmp "$dst" To generate the digest for the DNS TLSA record: openssl pkey -in "$dst" -pubout | openssl pkey -pubin -outform DER | openssl dgst -sha256 -- Viktor.
- Re: [dane] making ietf.org eat the DANE dogfood Sean Turner
- [dane] making ietf.org eat the DANE dogfood Sean Turner
- Re: [dane] making ietf.org eat the DANE dogfood Peter Saint-Andre
- Re: [dane] making ietf.org eat the DANE dogfood Paul Hoffman
- Re: [dane] making ietf.org eat the DANE dogfood Peter Saint-Andre
- Re: [dane] making ietf.org eat the DANE dogfood Paul Hoffman
- Re: [dane] making ietf.org eat the DANE dogfood Viktor Dukhovni
- Re: [dane] making ietf.org eat the DANE dogfood Viktor Dukhovni
- Re: [dane] making ietf.org eat the DANE dogfood Sabahattin Gucukoglu
- Re: [dane] making ietf.org eat the DANE dogfood Stephen Farrell
- Re: [dane] making ietf.org eat the DANE dogfood Viktor Dukhovni
- Re: [dane] making ietf.org eat the DANE dogfood Viktor Dukhovni
- Re: [dane] making ietf.org eat the DANE dogfood Wes Hardaker
- Re: [dane] making ietf.org eat the DANE dogfood Paul Wouters
- Re: [dane] making ietf.org eat the DANE dogfood Viktor Dukhovni
- Re: [dane] making ietf.org eat the DANE dogfood Viktor Dukhovni
- Re: [dane] making ietf.org eat the DANE dogfood Warren Kumari