(Please correct me if I am wrong - Still Learning myself!)
On Tue, 2015-07-28 at 15:34 +0200, Bjørn Mork wrote:
Mark Elkins mje@posix.co.za writes:
For email - you need a TLSA 311 Certificate.
Care to explain why? I am sure I'm missing something here, but this isn't obvious to me.
The topic was DANE and generating valid TLSA records from a Web certificate for Web purposes. The same Web Certificate can be used for creating an appropriate TLSA certificate for Mail. In the case of MTA to MTA (Mail Transport Agent, eg for use by exim or Postfix) - the TLSA certificate could look like...
_25._tcp.vweb.co.za. IN TLSA 3 1 1 588c9c64a52c1a0d4cb1e82d67d746504241480c55b1edd24b6fc7cd 4f836997
ie - the bit you stick in a zone file....
And does "email" mean SMTP or POP/IMAP or all of them?
Just MTA to MTA
Until now I've just used the same private self-signed CA certificate for all services,
In my experience, most web browsers complain about self-signed certificates, until an exception is made of that Certificate. Microsoft Explorer is particularly rude and strongly suggests a user not to trust it ( = Customers go elsewhere). I think therefore to make going to a secure website as palatable as possible, get the Certificate signed by a reputable CA. If you have such a certificate - it can be used also for e-mail, for MTU to MTU (Secure-SMTP), for Submission (Authenticated+Secured SMTP) and for IMAP/POP3 (eg courier-imap stuff).
and just created aliases to a common TLSA 2 0 1 record. This appeared to work fine, but then again: I don't know how I would detect a failure... There aren't that many validating email clients out there.
I think Viktor Dukhovni ietf-dane@dukhovni.org possible has a test system?
How do you test and validate TLSA records for SMTP, POP and IMAP?
If by SMTP, you mean a client sending outbound mail via their ISP using Submission - I wasn't aware that TLSA records played a role in this area. I'm also not aware that they play a role in the IMAP/POP3 area either.
I personally use IMAP on port 993 (SSL/TLS) and Submission on 587 (STARTSSL after Connection) - and have done a long time before playing with DANE and TLSA records.
TLSA Records for MTU to MTU makes sense - you don't know if the recipient MTA uses TLS, the TLSA in the (DNSSEC Secured) DNS can confirm this if it exists.
On the other hand, the relationship between Client and ISP by definition probably has to be known about. (I run a smallish ISP - I have clients, many of them have their mail clients configured like this.)
Bjørn