On Tue, Jul 28, 2015 at 03:34:23PM +0200, Bj?rn Mork wrote:
Mark Elkins mje@posix.co.za writes:
For email - you need a TLSA 311 Certificate.
Care to explain why? I am sure I'm missing something here, but this isn't obvious to me.
And does "email" mean SMTP or POP/IMAP or all of them?
Sorry, just MTA-to-MTA SMTP:
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-1.3
Until now I've just used the same private self-signed CA certificate for all services, and just created aliases to a common TLSA 2 0 1 record.
That's also fine, if the CA in question is the issuer of the individual server certificates. The constraint for MTA-to-MTA SMTP is that you SHOULD NOT publish TLSA records with certificate usages PKIX-TA(0) or PKIX-EE(1). A "3 X Y" is the right alternative for "1 X Y" and "2 N M" is the right alternative for "0 N M".
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-3.1.1 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-3.1.2 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-3.1.3 https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.1 https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.2 https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.3 https://tools.ietf.org/html/draft-ietf-dane-ops-14#section-5.4
This appeared to work fine, but then again: I don't know how I would detect a failure... There aren't that many validating email clients out there.
How do you test and validate TLSA records for SMTP, POP and IMAP?
Just for SMTP MTAs (port 25):