Hi, When can we expect a Postfix release, that will support DANE protocol ? so that it(postfix) can verify (using DANE & DNSSEC protocols) the signed (and free) SSL/TLS certificates(cert) (or fingerprints) which we can pre-add in TLSA, (CERT, HASTLS, etc) DNS (DNSSEC) records, and then it(postfix) will use those(cert) for secure (smtp) communication, and to verify SMTP servers.
Currently (Jan 12, 2013), the last+stable GnuTLS, now supports DANE, (and as of right now, OpenSSL (or any openssl modules) yet does not support DANE). Can postfix utilize DANE libraries from gnutls for DANE ? And, it seems "Exim" (last+stable version) can already use server's DNSSEC supported local DNS resolver/server software, and so it(Exim) is able to show/add header info like "sender host verified by DNSSEC (AD)" in "Received:" meta/header, if DNSSEC protocol based authentication succeeded, or "host not verified by DNSSEC" message in header when failed: http://jpmens.net/2012/06/07/exim-mta-with-dnssec-verification-of-sender/ (AD = Authenticated Data). And Exim also uses (or, can use) GnuTLS, (other than OpenSSL). The DnsSec-Tools.Org site shares PATCH (developed by Sparta) for (older) Postfix (and other software) to support DNSSEC, can someone expert apply it(patch) on the last+stable postfix ? http://www.dnssec-tools.org/howtos/postfix-2.3.x-dnssec-howto.txt Is there any other patch for postfix ? (for dane and dnssec functionalities). Thank you (in advance), -- Bright Star. References / More info: DANE (DNS-based Authentication of Named Entities) : https://datatracker.ietf.org/wg/dane/ https://wiki.mozilla.org/Security/DNSSEC-TLS-details http://www.dnssec.net/software Compare MTA, MSA, etc: http://en.wikipedia.org/wiki/Comparison_of_mail_servers Exim : ( Google+ ) : https://plus.google.com/101257968735428844827 https://plus.google.com/101257968735428844827/posts/hbvE6f9nYuq https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ https://www.dnssec-tools.org/wiki/index.php/Main_Page http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec http://www.internetsociety.org/deploy360/resources/dane/ http://www.gnutls.org/manual/gnutls.html http://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE-_0028DNSSEC_0029.html http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/ https://addons.mozilla.org/en-us/firefox/addon/extended-dnssec-validator/ http://www.internetsociety.org/deploy360/blog/2013/01/verisign-labs-dane-demonstration-page-and-test-sites/ http://www.isc.org/software/bind/dnssec http://www.nlnetlabs.nl/projects/dnssec-trigger/ http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_15-1/151_dane.html https://github.com/pieterlexis/swede http://dane.verisignlabs.com/ http://tools.verisignlabs.com/ http://dyn.com/dane-dns-server-authentication-ca-flaws-ssl-security/ https://www.dns-oarc.net/oarc/services/odvr http://www.internetsociety.org/deploy360/resources/hashslinger-a-tool-for-creating-tlsa-records-for-dane/ DNSSEC: RFC 5910: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP) RFC 4033: DNS Security Introduction and Requirements RFC 4034: Resource Records for the DNS Security Extensions RFC 4035: Protocol Modifications for the DNS Security Extensions RFC 4641: DNSSEC Operational Practices RFC 5155: (March 2008) introduces an alternative resource record, NSEC3, which provides additional measures against zone enumeration and permits gradual expansion of delegation-centric zones.
signature.asc
Description: OpenPGP digital signature
