Dear Viktor,
On 09/26/18 16:46, Paul Menzel wrote: > On 09/26/18 09:37, Viktor Dukhovni wrote: > >>> On Sep 26, 2018, at 2:57 AM, Bernhard Schmidt wrote: >>> >>> Large parts of the german universities now use the DFN MailSupport >>> (= inbound mailrelaying and filtering by DFN). The MX records are >>> in mx.srv.dfn.de, which is not signed (whole dfn.de is not signed). >>> So you can have your own zone DNSSEC enabled, but not the one with >>> the MX. >> >> Good to know. Thanks. > > Yes, that is what I meant. Bernhard, thank you for answering and > clarifying that. > >>> I heard they are working on this. This is also a blocker of our >>> project to have DANE-secured SMTP transport for all bavarian >>> universities. >> >> I wish them luck (really sound planning and execution, luck has >> little to do with it). > > Unfortunately, to my knowledge, it’s not high on their to-do list. > Only a few of their clients have requested this feature explicitly. > I’ll work on raising awareness. Bernhard, all the Bavarian > institutions should open a support ticket at the DFN mail support. > It’s my understanding, that this would influence the priority. > >> I also hope that the plan includes securing the downstream hop from >> the DFN gateway to the client institution, unless DFN is also >> providing IMAP, Webmail, ... > > I do not know, how the downstream hop is secured currently. Either > hard coding the IP address of the MTA, using certificates or just > DANE would be feasible. We should do that for our mail system. > Thank you for the reminder. My colleagues already set up TLSA records for mx.molgen.mpg.de [3]. So I’ll ask the mail support to enable dane-only for that connection. > For the record, the DFN network has it’s own network infrastructure > with “cables” and network gear operated over Germany, so it’s not > easy for somebody “from the Internet” to eaves drop [1][2]. Common > methods for securing the transfer should be used nevertheless. Kind regards, Paul > [1]: https://www.dfn.de/xwin/faserplattform/ > [2]: https://www.dfn.de/fileadmin/1Dienstleistungen/XWIN/Topologie.pdf [3]: $ /usr/sbin/posttls-finger -t30 -T180 -c -L verbose,summary mx.molgen.mpg.de posttls-finger: initializing the client-side TLS engine posttls-finger: using DANE RR: _25._tcp.mx.molgen.mpg.de IN TLSA 3 1 2 02:E4:F7:97:85:C7:08:1D:84:63:1A:23:A4:EC:B1:B6:26:24:1F:DC:68:D0:FA:80:B1:10:EF:5E:4C:2C:AF:5E:3F:B9:59:9C:6B:EA:D2:50:4E:4A:BB:6E:2A:73:94:14:11:46:65:F1:69:5C:ED:D7:80:E6:40:5F:19:7E:33:D6 posttls-finger: setting up TLS connection to mx.molgen.mpg.de[141.14.17.8]:25 posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=3 verify=0 subject=/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=3 verify=1 subject=/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=2 verify=1 subject=/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=1 verify=1 subject=/C=DE/O=Max-Planck-Gesellschaft/CN=MPG CA/emailAddress=mpg...@mpg.de posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=0 verify=1 subject=/C=DE/ST=Berlin/L=Berlin/O=Max-Planck-Gesellschaft/OU=Max-Planck-Institut fuer molekulare Genetik/CN=mx.molgen.mpg.de posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: depth=0 matched end entity public-key sha512 digest=02:E4:F7:97:85:C7:08:1D:84:63:1A:23:A4:EC:B1:B6:26:24:1F:DC:68:D0:FA:80:B1:10:EF:5E:4C:2C:AF:5E:3F:B9:59:9C:6B:EA:D2:50:4E:4A:BB:6E:2A:73:94:14:11:46:65:F1:69:5C:ED:D7:80:E6:40:5F:19:7E:33:D6 posttls-finger: mx.molgen.mpg.de[141.14.17.8]:25: subject_CN=mx.molgen.mpg.de, issuer_CN=MPG CA, fingerprint=76:A9:04:3A:1E:27:1B:3A:28:9A:C1:A8:9A:64:C9:D0:FB:14:7F:D9, pkey_fingerprint=6A:2A:F0:14:CD:75:B2:D2:58:5A:50:83:F2:DF:A4:8A:4A:E9:66:8E posttls-finger: Verified TLS connection established to mx.molgen.mpg.de[141.14.17.8]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
smime.p7s
Description: S/MIME Cryptographic Signature
