Re: [dane] making ietf.org eat the DANE dogfood

Tue, 21 May 2013 15:52:44 -0700 

On Tue, May 21, 2013 at 01:52:33PM -0700, Paul Hoffman wrote:

> On May 21, 2013, at 1:38 PM, Peter Saint-Andre <[email protected]> wrote:
> 
> > I didn't see that they proposed deployment scenarios for ietf.org...
> 
> They explain some of the operational issues that the IETF would
> want to consider when making the decision to add TLSA records.

Thanks for championing the drafts Paul, much appreciated.

In terms of SMTP, given:

    ietf.org.               1800    IN      MX      0 mail.ietf.org.

and assuming this is a "secure" result (I am behind the wrong kind
of firewalls to check just at the moment), all the IETF would have
to do is publish:

    _25._tcp.mail.ietf.org.        IN      TLSA 3 1 1 <pkey_digest>

after first enabling STARTTLS support on the MTA:

    posttls-finger: Connected to mail.ietf.org[2001:1890:123a::1:1e]:25
    posttls-finger: < 220 ietfa.amsl.com ESMTP Postfix
    posttls-finger: > EHLO amnesiac.local
    posttls-finger: < 250-ietfa.amsl.com
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE 67108864
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-AUTH LOGIN PLAIN
    posttls-finger: < 250-AUTH=LOGIN PLAIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250 DSN
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 Bye

For some reason this MX host supports SASL (more suitable for an
MSA, where one would also want TLS for PLAIN or LOGIN), but not
TLS which is appropriate for an inbound MX.

    main.cf:
        smtpd_tls_cert_file = ${config_directory}/smtpd.pem
        smtpd_tls_security_level = may

        # Optional, but recommended: cache TLS sessions:
        scache = btree:${data_directory}/
        smtpd_tls_session_cache_database = ${scache}smtpd_scache

The cert can be self-signed.  Just a couple of minutes of admin
time and "postfix reload".

    makecert.sh:
        #! /bin/sh
        umask 077
        tmp=$(mktemp .smtpd.pem.XXXXXX)
        dst=smtpd.pem
        openssl req -new >> $tmp \
            -newkey rsa:2048 -nodes -keyout /dev/stdout \
            -x509 -sha1 -set_serial 1 -subj "/" -days 3650 \
            -config <(printf "[req]\n%s\n[dn]\n[exts]\n%s\n[alts]\n%s\n" \
                    "$(printf "%s\n%s\n" \
                        "distinguished_name=dn" \
                        "x509_extensions=exts")" \
                    "$(printf "%s\n%s\n" \
                        "extendedKeyUsage=serverAuth,clientAuth" \
                        "subjectAltName=@alts" \
                        )" \
                    "$(printf "DNS.1 = %s\n" $(uname -n))") &&
       mv $tmp "$dst"

To generate the digest for the DNS TLSA record:

    openssl pkey -in "$dst" -pubout |
        openssl pkey -pubin -outform DER |
        openssl dgst -sha256

-- 
        Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane

Reply via email to