Hi Bright Star, I like the idea of a CAless TLS trust layer with DNS(sec) based certificates. I stumbled about DANE a while ago, it is working on some browsers (chrome, firefox will probably follow; there is a add-on like the dnssec plugin: http://hu.reddit.com/r/netsec/comments/12up0t/dane_patrol_firefox_addon_fork_of_certificate/) yet.
DANE is a marketing name of RFC 6698 https://tools.ietf.org/html/rfc6698 To get an adpotion in the mail world (and stuff like that, with 2-3 specifications involved, tls, dns and smtp) takes time and is usually painfull (too many broken MTAs). First, I never saw postfix compiled against gnutls, google showed some bug reports regarding that, please correct me if I am wrong about that. So if openssl would support DANE, life would be a lot easier. It is similar to SNI (server name indication) gnutls was first, but after openssl integrated it, adoption started to accelerate. I see two ways to reach a first milestone on your goal a) make postfix compile against gnutls b) wait on the integration of DANE in openssl I would favor b), just because IMHO it is probably faster then a), having postfix compile/linking against two TLS library would not do harm, it is just a lot of work. And encryption and authentication is not something you want to have broken. But the above scenarios would just be a first step, then you would need to improve/add the DANE/TLS handling within postfix, make sure nothing of the current TLS/SSL handling brakes during the integration. I would be happy if we could improve postfix with DANE, I am just not a good enough coder to do so. I would be willing to help with all the other stuff (compiling, testing, documentation) of the process. Greetings, Stefan On 13/01/2013 08:34, Bry8 Star wrote: > Hi, > When can we expect a Postfix release, that will support DANE > protocol ? so that it(postfix) can verify (using DANE & DNSSEC > protocols) the signed (and free) SSL/TLS certificates(cert) (or > fingerprints) which we can pre-add in TLSA, (CERT, HASTLS, etc) DNS > (DNSSEC) records, and then it(postfix) will use those(cert) for > secure (smtp) communication, and to verify SMTP servers. > > Currently (Jan 12, 2013), the last+stable GnuTLS, now supports DANE, > (and as of right now, OpenSSL (or any openssl modules) yet does not > support DANE). Can postfix utilize DANE libraries from gnutls for DANE ? > > And, it seems "Exim" (last+stable version) can already use server's > DNSSEC supported local DNS resolver/server software, and so it(Exim) > is able to show/add header info like "sender host verified by DNSSEC > (AD)" in "Received:" meta/header, if DNSSEC protocol based > authentication succeeded, or "host not verified by DNSSEC" message > in header when failed: > http://jpmens.net/2012/06/07/exim-mta-with-dnssec-verification-of-sender/ > (AD = Authenticated Data). > And Exim also uses (or, can use) GnuTLS, (other than OpenSSL). > > The DnsSec-Tools.Org site shares PATCH (developed by Sparta) for > (older) Postfix (and other software) to support DNSSEC, can someone > expert apply it(patch) on the last+stable postfix ? > http://www.dnssec-tools.org/howtos/postfix-2.3.x-dnssec-howto.txt > > Is there any other patch for postfix ? (for dane and dnssec > functionalities). > > Thank you (in advance), > -- Bright Star. > > > > References / More info: > > DANE (DNS-based Authentication of Named Entities) : > https://datatracker.ietf.org/wg/dane/ > > https://wiki.mozilla.org/Security/DNSSEC-TLS-details > > http://www.dnssec.net/software > > Compare MTA, MSA, etc: > http://en.wikipedia.org/wiki/Comparison_of_mail_servers > > Exim : ( Google+ ) : > https://plus.google.com/101257968735428844827 > https://plus.google.com/101257968735428844827/posts/hbvE6f9nYuq > > https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ > > https://www.dnssec-tools.org/wiki/index.php/Main_Page > > http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec > > http://www.internetsociety.org/deploy360/resources/dane/ > > http://www.gnutls.org/manual/gnutls.html > http://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE-_0028DNSSEC_0029.html > > http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools > > https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources > > https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/ > > https://addons.mozilla.org/en-us/firefox/addon/extended-dnssec-validator/ > > http://www.internetsociety.org/deploy360/blog/2013/01/verisign-labs-dane-demonstration-page-and-test-sites/ > > http://www.isc.org/software/bind/dnssec > > http://www.nlnetlabs.nl/projects/dnssec-trigger/ > > http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_15-1/151_dane.html > > https://github.com/pieterlexis/swede > > http://dane.verisignlabs.com/ > http://tools.verisignlabs.com/ > > http://dyn.com/dane-dns-server-authentication-ca-flaws-ssl-security/ > > https://www.dns-oarc.net/oarc/services/odvr > > http://www.internetsociety.org/deploy360/resources/hashslinger-a-tool-for-creating-tlsa-records-for-dane/ > > DNSSEC: > RFC 5910: Domain Name System (DNS) Security Extensions Mapping for > the Extensible Provisioning Protocol (EPP) > RFC 4033: DNS Security Introduction and Requirements > RFC 4034: Resource Records for the DNS Security Extensions > RFC 4035: Protocol Modifications for the DNS Security Extensions > RFC 4641: DNSSEC Operational Practices > RFC 5155: (March 2008) introduces an alternative resource record, > NSEC3, which provides additional measures against zone enumeration > and permits gradual expansion of delegation-centric zones. >
