On 3-9-18 13:58, Viktor Dukhovni wrote:
On smtp.xs4all.nl we enabled DANE outgoing verification[...]
Great news, welcome to the club, and thanks! When you do enable a default hardfail, you might consider exempting a particular sender address or subject tag, or perhaps a custom header:
https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03#section-3
so that you can still send email to the contacts of any domains that are failing, prior to disabling DANE for the domain for all senders.
Oh, that's a good idea. Implemented the "RequireTLS: NO" header now :)
You might find that some domains have intermittent outages as a result of poorly executed key/cert rollovers where the TLSA records are updated *after* they first become invalid. For any of those, soft fail may make sense until your logs show no failures for a year or more.
Hm, that requires quite a bit of state-keeping. Can such domains be added to the dane-fail list, or should those domains be put on another list? (dane-transient-failures?)
Indeed the danefail list is not expected to be "complete". If any of you run into domains for which you need to make an exception, please open an issue or pull request on github if unable to resolve with the remote domain.
I'll go over all the DANE logs in a few days, and see if any domains not on the dane-fail list show any errors. If I find any, I'll contact the domains and if necessary create a github pull request on the danefail list.
For those publishing TLSA records for inbound DANE, please make *sure* that you're offering STARTTLS *unconditionally*, to all SMTP clients with no restrictions by client IP address or reputation. Configurations that restrict STARTTLS to a set of "good" IPs are not compatible with DANE. If STARTTLS was disabled with some client IPs for interoperability reasons, resolve those first.
Thanks, I'll use your message to persuade any other domains that don't send me STARTTLS, if I find any :). If they do not respond, can I add those domains to the dane-fail list too? I understand that selectively offering STARTTLS is a lot harder to test for other people...