dane-users

Download

dane-users@list.sys4.de

October 2024

2 participants
2 discussions

DANE vs. TLS shedding of legacy/obsolete features
by Viktor Dukhovni 23 Oct '24

23 Oct '24

Time marches on, and various TLS stacks are gradually disabling obsolete and legacy TLS features. This affects DANE SMTP users, because when you publish TLSA records you are effectively commiting to sufficiently interoperable TLS support with no fallback to cleartext SMTP transmission. If your server's TLS stack is substantially behind the times, you risk losing mail, as gradually more sending systems are unable to complete TLS connections to your server. I was reminded of this today, after upgrading the software stack on the DANE survey server. The latest Haskell TLS library has: - Removed TLS 1.0 and TLS 1.1 support - By default now requires that TLS 1.2 stacks support the Extended Master Secret (EMS) extension. The first of these only affects a few MX hosts, for under 10 domains, and as of today, the server will assess these hosts to not support TLS. For the second, ~300k domains were affected, so I've made a code change in the survey to override the new default, and EMS is for now optional. However, this does not mean that it is a good idea to stay with outdated TLS server libraries that lack the last decade of TLS security improvements. At some point you'll run into increasing interoperability issues. Therefore, please make sure that your server TLS stacks are of a reasonably recent vintage, support TLS 1.3, and TLS 1.2 with EMS, and various other up-to-date protocol features. Below my signature is a list of 681 MX hosts that support TLS 1.2 only without EMS. If you're operating one of these, you may want to consider a software update, or reach out to your vendor re their future plans if on the latest available software. -- Viktor. mail.ismail.app mail.cambium.at mail.core.at mx2.core.at mail1.dialog-on.at mailex.graz4u.at mxirl.kurios.at smail.bancfirst.bank smail2.bancfirst.bank mail.dierenplanet.be mail.kevinscheerlinck.be mail7.uzgent.be mail8.uzgent.be ip1.nra.bg box.credazulbh.com.br digidocsolucoes.com.br digitalnext.com.br divulgabrasilpublicidade.com.br erpacademy.com.br webmail.grsolucoestelecom.com.br localizarfacil.com.br paulohendrix.com.br mail.purplehost.com.br rminet.com.br somcast.com.br agent.aneel.gov.br coulomb.aneel.gov.br mailsrv.aneel.gov.br master.aneel.gov.br silicio.defesa.gov.br aadh.org.br carteiradeestudanteonline.org.br mx.nohats.ca mm.eggy.cc mail.weel.cc mx.aha-informatik.ch mx2.aha-informatik.ch sr2.alfahost.ch linux3.buerki-hosting.ch linux4.buerki-hosting.ch sr621.firestorm.ch mail.houbi.ch mail2.houbi.ch mail.jardon.ch mail.kupferschmid.ch mx1.logging.ch mx2.logging.ch mx3.logging.ch mail.lumatron.ch mcagx.mathconsult.ch www.versicherungen-verwalten.ch wq-control03.web-quality.ch mailing.osst.cl dmzserv.osste.cl mail.buchtic.cloud box.castellino.cloud mail.heinzelmann.co mail.2d-computers.com mta01.zh01.4synergy.com box.aaronware.com mail.ajsuarez.com mail.arvidp.com mail.atsnappic.com server1.bootletech.com mail.brunston.com mail.bysnappic.com smtp1.cacdsp.com smtp2.cacdsp.com smtp2b.cacdsp.com box.certicommco.com mail.cfd-berlin.com mail.chamberlain1875.com mx10.coosto.com mx20.coosto.com db1.countermail.com mail.darev.com mx01.dcvc.com mx02.dcvc.com box.disarrayinc.com mail.djadaro.com box.donaldbordner.com mail.dsx-networks.com mail.getrocksolidoutbound.com box.globaldataconnections.com mail01.globexec.com mail02.globexec.com box.googdaddy.com mail.gozubuyukoglu.com box.graabek.com mail.growthsnappic.com filter.hattink.com relay-6.headbird.com relay-7.headbird.com smtp.heimdal31.com mail.hepsibulutta.com mail.hisnappic.com box.infoprospector.com box.intelligencespubliques.com mail.istar-link.com mail.joinsnappic.com mail.justsnappic.com mail.khecorp.com maple.killian.com mail.kinderfestival.com mx.lavabit.com mx.leonhard-ip.com mx.lmax-kr.com mail.macskorlari.com mail.magmadaemon.com box.mailcbclub.com mx.mandjes.com mail.me2digital.com mx.mine-inc.com box.misitio-mailserver.com box.mossprogramming.com box.mygp-server.com box.mymaildns.com mail.mysnappic.com mail.noveldatasolutions.com box.oakleg.com mx.ontvdesign.com mail.ordoz.com cloud.orshost.com box.p1xl.com box.paprbit.com mail.phardata.com mbox.proabcmail.com box.redmaplere.com rot13.romab.com mail.secura.com smtp.semperen.com mail.siem-hosting.com mx.simply.com mail.slackonly.com postfach.slogh.com box.sns-corp.com mail.startoutreach-wizards.com sweeper.stater.com mx.statpro.com mx.sunhaochen.com mail.sysdra.com box.tessamcdonald.com mail.theoutreach-wizards.com box.thepcw.com mail.thesnappic.com mx3.threenorth.com mail.topoutreach-wizards.com mail.ubogdan.com mail.undergopher.com box.viewnimail.com mail.vkilin.com smtp.vkilin.com volcanoclient.com calife.wilkushka.com mail.withsnappic.com mx1.wsheffield.com mx2.wsheffield.com box.wuzzlr.com cloud4.xeeor.com mx01.your-site.com mail.yoursnappic.com brightrain.aerifal.cx mx.aerohosting.cz mail.bsys.cz mail.ceskearchivy.cz mx2.cesnet.cz mail.digitalbox.cz mail.dobruskanet.cz mail.dtvm.cz mail.dubina.cz gate.ecompany.cz mail2.eurosat.cz mx3.fastline.cz smtp1.fnusa.cz mail.cbu.gov.cz mail.kraj-jihocesky.gov.cz smtp-bis.gov.cz smtp-cms.gov.cz smtp-czp.gov.cz smtp-kpr.gov.cz smtp-mdcr.gov.cz smtp-mmr.gov.cz smtp-mvcr.gov.cz smtp-mze.gov.cz smtp-pcr.gov.cz smtp-soap.gov.cz smtp-sshr.gov.cz smtp-szif.gov.cz mail.grada.cz mail.intimkontakt.cz mailbackup.intimkontakt.cz arachne.itcomputers.cz mail.janpetrik.cz mail1n.kb.cz mail2v.kb.cz nse.kraj-jihocesky.cz mail.kuthani.cz spindle.m104.cz mail1.fs.mfcr.cz mail2.fs.mfcr.cz mail-gw.mfcr.cz mail-gw2.mfcr.cz smtp.mza.cz mzvczemta05.mzv.cz mzvczemta06.mzv.cz mail.pivovardobruska.cz smtp01.ppfbanka.cz emas1.pre.cz emas3.pre.cz smg2.psp.cz anakin.rtscs.cz rtsdrake.rtscs.cz mail.stebau.cz mail.stranskyapetrzik.cz posta.studio-kiara.cz mail.terrasan.cz rhine.tocc.cz asms1.uzsvm.cz asms2.uzsvm.cz mail.vibrom.cz mail.xsc.cz mail.xtgsystems.cz mx1.zpskoda.cz mx2.zpskoda.cz mail.1of16.de mail.augusta.de mail.azf-gruppe.de relay.ccitm.de mx1.denic.de mx2.denic.de mx.devtig.de mail.gcd.de mail.heinzelmann-it.de avalon.iks-jena.de mail.infonline.de mail2.infonline.de kolab.inhaltsfrei.de mx1.linuxheilbronn.de mx2.linuxheilbronn.de mx3.linuxheilbronn.de mx4.linuxheilbronn.de mx1.mxspamfilter.de mx2.mxspamfilter.de mx3.mxspamfilter.de vh.petricoral.de mail.ropa-maschinenbau.de mail.schoenwald-net.de mx1.siliconhome.de mx3.stute.de mail.sys4.de kolab.sysadm24.de relay.tkue-bayern.de mx1.top24-webhosting.de mx2.top24-webhosting.de mx3.top24-webhosting.de mx4.top24-webhosting.de smtp3.rz.tu-harburg.de smtp4.rz.tu-harburg.de smtp5.rz.tu-harburg.de mailgate1.uni-kl.de mailgate2.uni-kl.de mail.unitedcall.de mx1.unitedcall.de mx2.unitedcall.de mx3.unitedcall.de mx4.unitedcall.de mail.vivell.de smtp1.cacdsp.dev mail.bigbear.dk privatemail.cmcs.dk mail.dlx.dk mailinan.emptybox.dk frontmta.hostedsepo.dk mx1.sit-test.dk mx2.sit-test.dk mail.svanberg.dk mail.umit.dk mail1.just.ee mail2.rik.ee box.3kings.email box.bookingdesigner.email box.enron.email smtp.tink.email webreus.email mx1.ergo-segurosdeviaje.es mail.2d-computers.eu bhmail.bernhardtmtm.eu mail.bindr.eu mailx2.dg-i.eu mail.directhost.eu mail.eurosatcs.eu mail.lexmedia.eu mail.libraoptima.eu mail.mikr.eu khitomer.mortis.eu mail.mtct.eu trbsmtp1.tes.eu mail.tmatejka.eu letter.wolfhugel.eu pobox.wolfhugel.eu mail.wsch.eu lounea-somerofw-01.somero.fi lounea-somerofw-02.somero.fi somerofw-01.somero.fi somerofw-02.somero.fi mx.media-horizon.fr mx03.o2-graphics.fr mx0.jmt.gr tidamg1.tid.gov.hk tidamg2.tid.gov.hk tidamg3.tid.gov.hk web50.i24.host web51.i24.host web52.i24.host web55.i24.host mail.jip.host h4-da.mijn.host h5-da.mijn.host mx.domain.mil.id mail.cliffclav.in box.nstar.in mail.bezorgo.info mail.royalaffiliate.info mail.royalmedia.info box.samuel-drapeau.info box.dspro.io minerva.solas.is saga.solas.is sia.solas.is uce.solas.is mail.matteomarescotti.it mail.laukas.lt mail.starspace.lv box.oolong.me mailgate3.darpa.mil mailgate4.darpa.mil mailgate5.darpa.mil mailgate6.darpa.mil mx01.nhg.name mx02.nhg.name antispam1.7lan.net awnews.aztgrp.net mail2.aztgrp.net relay1.aztgrp.net mailx1.dg-i.net mx1.dotxs.net dubrovskiy.net emailpreneurs.net mail.exesus.net d01.fidela.net d02.fidela.net mail.fobul.net viper.genos.net hostingbarato.net ops.hzdmail.net box.inonso.net mail1.is-bg.net mailf.is-bg.net mail.kerrycze.net smtp.lbcfree.net lechiennoir.net punt1.lrhosting.net punt2.lrhosting.net mx.mailanyone.net ca.mx1.mailanyone.net dk.mx1.mailanyone.net se.mx1.mailanyone.net uk.mx1.mailanyone.net mail3.marcant.net ca.mx2.mx25.net eu.mx2.mx25.net se.mx2.mx25.net backupmail.neessen.net mail.neessen.net mail.no-sense.net mailhost.onetrail.net box.periodoctors.net box.prospertech.net box.prymail.net server03.reb-server.net mx1.rezel.net noname.rula.net mx00.schnied.net mx20.schnied.net mx21.schnied.net dublin.sinnekram.net hawser.sinnekram.net box.soleconnect.net mail.system23.net mx1.t-2.net mx2.t-2.net mx1.tachtler.net vps01.tim427.net box.tristanmcdonald.net mail.vanhard.net virteck.net mx1.vos-systems.net mx2.vos-systems.net mx3.vos-systems.net mx4.vos-systems.net swh5.zylon.net swh6.zylon.net swh7.zylon.net swh8.zylon.net box.myemail.ninja mail.2d-computers.nl mail.accent.nl mail.acm.nl mail.acore.nl mail.beetjevreemd.nl mail.bertrutjenstimmerwerken.nl mail.boerskashandelsonderneming.nl mail.bootsma-advies.nl mail.bprieshof.nl mail.buildingconversation.nl fallback.businessconnect.nl mx1.businessconnect.nl mail.cardialysis.nl mx.cardialysis.nl mail.climax-atletiek.nl clubredders.nl mail.controlink.nl mail.costor.nl mail.covra.nl mail.cyberweerbaarheidnetwerk.nl mail.dekerkvantoen.nl smtp.denhaag.nl mail.denotificatiedienst.nl mail.dentmail.nl mail.derukbunker.nl mail.ditmar-guashatherapie.nl dommelstein.nl mail.dozy-portretten.nl mail.elit.nl mail.enigmaresearch.nl mail.fcfoto.nl mail.fernandokuipers.nl mail.ffsnelchecken.nl mail.galerie-delft.nl mailserver1.go2ubl.nl mx1.groningen.nl mx2.groningen.nl mail.grry.nl mail.hannahsmit.nl mail.honkheerenveen.nl mail.hostedbyjohan.nl hosting2go-server134.nl mail.hostingindustries.nl mail.huureenviool.nl imk-p-mta1.i-mike.nl spamfilter1-secure.ict-net.nl spamfilter2-secure.ict-net.nl mail.in-deco.nl isatiscybersecurity.nl itthuis.nl mail.jobgenius.nl mail.joeyvanmelis.nl mail.josnelissenbv.nl mx.khonraad-ip4-networks.nl mail.klok-eco.nl mail.klokhuis.nl mail.klusbedrijftimmer.nl mail.koldeweij.nl mail.kookhandel.nl mail.kpjmontfoort.nl mail.kuss.nl mail.kynosoft.nl lifeguardcollege.nl mail.lifestylefunnels.nl mail.lightcodealchemy.nl mail.lokalepartijborsele.nl mail.ltcdewestkaap.nl mail.luxespeelkaarten.nl mail.maakjebrood.nl filter1.maq2.nl smt.p.meneeraart.nl mail.meneerjop.nl mail.meteowallie.nl antispam.mica.nl antispam.mica-it.nl spamstraat1.mica-it.nl box.mijn-email-service.nl mail.millerdigital.nl mx.mindef.nl mirfotografeert.nl mail.motorep.nl www.musquetier.nl mx1.netwerkplan.nl mx2.netwerkplan.nl dcmx2.nevb.nl mail.nicknick.nl mail.noormannen.nl mail.opfrisbeurt.nl mx.otadef.nl smtp.otys.nl smtp1.mijn.overheid.nl smtp2.mijn.overheid.nl mail1.parlement.nl mail2.parlement.nl mailrelay.pcextreme.nl mail.photographicdreams.nl mail.pixelein.nl mailgw.pol-it.nl mail.postenwolk.nl mail.praktijkbrandnewme.nl mail.prelution.nl mail.privva.nl mail.progressiefbeek.nl oxygen.proos.nl mail.pure-connect.nl mail.quantora.nl mx1.rdw.nl mail.reapers-delight.nl mail.reclamefotografie.nl mail.redirecter.nl mail.rijkscloud.nl mail.rijles040.nl ruudadviseert.nl mx1.saxion.nl mx2.saxion.nl mail.schildersbedrijfjohn.nl mail.scpocahontas.nl mail.scryption.nl mail.shebiohacks.nl mx3.solutive.nl ispc01.sonad.nl mail-prod.standaardplatform.nl mail.stopumts.nl mx.supportatoffice.nl mail.teatime.nl rtm0.the-net.nl webmail.theijn.nl mail.tijinkeibergen.nl mail.tollercoaster.nl relay.transip.nl relay0.transip.nl relay1.transip.nl mail.ttyl.nl mail.tyrna.nl uwvsmtp05.uwv.nl uwvsmtp06.uwv.nl mail.vakantiewoningeijsden.nl mx1.vancis.nl mx2.vancis.nl mx3.vancis.nl vanderbeekonline.nl mail.veiligthuisgroningen.nl mailhopper.velthovengdw.nl mail.vitaminenaturel.nl mail.vlamingschaap.nl fallback.waversveld.nl ms.waversveld.nl mx-in-1.webreus.nl mx-in-2.webreus.nl mx-in-3.webreus.nl mx-in-4.webreus.nl mx-in-5.webreus.nl webspinnerij.nl mail.westkappelserv.nl mail.x-6.nl smtpf03.xcons.nl mail.xonlineserver.nl mail.web101.your-webhost.nl mail.web102.your-webhost.nl mail.web103.your-webhost.nl mail.web104.your-webhost.nl mail.web105.your-webhost.nl mail.web106.your-webhost.nl mail.web107.your-webhost.nl mail.web108.your-webhost.nl mail.web109.your-webhost.nl mail.web123.your-webhost.nl mail.web201.your-webhost.nl mail.web202.your-webhost.nl mail.web205.your-webhost.nl mail.web206.your-webhost.nl mail.web207.your-webhost.nl mail.web208.your-webhost.nl mail.web209.your-webhost.nl mail.web210.your-webhost.nl mail.web301.your-webhost.nl mail.web302.your-webhost.nl mail.web304.your-webhost.nl mail.web305.your-webhost.nl mail.web306.your-webhost.nl mail.web307.your-webhost.nl mail.web401.your-webhost.nl mail.web402.your-webhost.nl relay.zorgmail.nl fallbackmail.zxcs.nl mailpod01.zxcs.nl spamrelay.zxcs.nl spamrelay03.zxcs.nl smtp2.cryp.no mailgate.h4y.no alfons.uib.no rolf.uib.no tim.bkb.nrw box.siebert.nrw ns.airy.org merlino.alchemistowl.org box.bkmedia.org corz.org mail.ifcat.org mx.lanlos.org magmadaemon.org mail.mdevries.org mail.myicare.org mx1.nausch.org mail.photistic.org mail.razorsedge.org mx1.slackbuilds.org mx2.slackbuilds.org email.titmus.org mail.vanmastrigt.org volcanoclient.org mail.waher.org mail.ferreira.ovh mail.zcservices.ovh mx.biuroskeda.pl war01mail1.brebank.com.pl war01mail2.brebank.com.pl alfa.drama.pl smtp.drama.pl mxin-ta11.psgaz.pl mxin-ta12.psgaz.pl mxin-za11.psgaz.pl mxin-za12.psgaz.pl exchange.tele-car.pl interchange.tele-car.pl dubrovskiy.pro mxout.vangest.pt mail.lexmedia.ro mail.pasion.ro mx5.transsped.ro mx6.transsped.ro mail.geoartefact.ru mail.itnet33.ru relay0.melenky.ru mx01.mosinzhproekt.ru mx02.mosinzhproekt.ru amber.mobily.com.sa garnet.mobily.com.sa opal.mobily.com.sa pearl.mobily.com.sa mail.daemonic.se mx-50.mil.se mx-60.mil.se mx-70.mil.se mx-80.mil.se mx02.specialfastigheter.se mx03.specialfastigheter.se box.zayenz.se mx.go6lab.si protector.rajmax.si smtp-bad-in-2.t-2.si smtp-good-in-2.t-2.si posta.lubosillit.sk mail1.nafta.sk mail2.nafta.sk mail.rup.sk mx1.energymeteo.systems mx2.energymeteo.systems jrg.systems mail.ict-pros.co.tz box.clientnews1.co.uk box.clientnews2.co.uk box.clientnews3.co.uk box.clientnews4.co.uk filter2.maq2.us box.mqgroup.us mx3.nodns4.us mx4.nodns4.us mail.zugz.wang box.two.wtf mail.0mail.xyz box.alete.xyz mail.ebzao.xyz box.mojomailer.xyz box.qsmail.xyz box.todimail.xyz

1 0

Best to not outright refuse non-TLS incoming mail...
by Viktor Dukhovni 12 Oct '24

12 Oct '24

The DANE survey (https://stat.dnssec-tools.org) turns up a few domains a day that botch their cert rollovers or fail to offer STARTTLS despite publishing DANE TLSA records. I try to send notices to the relevant contacts, but sometimes they shoot themselves in the foot: - Private WHOIS - No contact data at the website - Published contacts don't work (no such user, ...). - Reject earnest notices of technical problems as spam Yesterday, for the first time, I ran into someone whose MTA stopped offering STARTTLS, despite the TLSA records still being in place, but attempts to deliver a notice are rejected: posttls-finger: < 220-mail.<censored>.dk ESMTP Postcow ... brief pause... posttls-finger: < 220 mail.<censored>.dk ESMTP Postcow posttls-finger: > EHLO <...> posttls-finger: < 250-mail.<censored>.dk posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 104857600 posttls-finger: < 250-ETRN posttls-finger: < 250-AUTH PLAIN LOGIN CRAM-MD5 posttls-finger: < 250-AUTH=PLAIN LOGIN CRAM-MD5 posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 CHUNKING posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye The notice bounced with: 550 5.7.1 Session encryption is required (in reply to RCPT TO command) As commendable as it may be to encourage use of TLS, it is not a good practice to outright refuse cleartext mail. -- Viktor.

4 3