Re: Test tool havedane.net and NCSC-NL factsheet on DANE

18 May 2017

      ...
On May 18, 2017, at 3:23 AM, Bart Knubben bart@knubben.org wrote:

Check this new tool for testing if your mail server checks DANE

when sending email: https://havedane.net
It is a step in the right direction, though testing should ultimately
be much more comprehensive.
* Test that "expired" certificates are accepted with DANE-EE(3)
* Test that matching hostnames are not required with DANE-EE(3)
* Test multiple DANE-EE(3) SPKI(1) SHA2-256(1) records with
      just one matching the chain.
* Probe for digest agility support, test a working SHA2-512(2)
      a non-working SHA2-256(1) and vice versa.
* Test DANE-TA(2) support with TA certificate in the server chain
* Test DANE-TA(2) with wildcard leaf certificate.
* Test DANE-TA(2) with expired leaf certificates, or non-matching
      DNS-ID.
* Test optional DANE-TA(2) SPKI(1) Full(0) support with the trust
      anchor public key in DNS and the full certificate NOT provided
          in the chain (Postfix supports this, other MTAs might not.  Per
      RFC7671 support this corner case is optional, and servers MUST
      include the trust anchor CA certificate in their chain.
* Test support for a combination of a DANE-TA(2) and a DANE-EE(3)
-- 
    Viktor.
      (both cases).

    * Test TLSA record lookup failures (broken RRsig, broken denial of
      existence, ...)

    * Test DNSSEC-signed domains with MX hostnames in an unsigned zone.
      Their TLSA records should not be looked up (delegate "_tcp" to
          non-responding and perhaps query-logging servers, sender should
      not be delayed by trying to look these up).

    ...

If you want to check that your Postfix is doing DANE minimally correctly
per this site, just try:

$ myemail=...
$ sendmail -bv -f $myemail probe-rcpt@wrong.havedane.net
$ sendmail -bv -f $myemail probe-rcpt@do.havedane.net
$ sendmail -bv -f $myemail probe-rcpt@dont.havedane.net

Then check your logs.  You should see something along the lines of:

May 18 10:10:59 amnesiac postfix/pickup[60085]: B48AC3904F: uid=1001 from=<...>
May 18 10:10:59 amnesiac postfix/cleanup[60313]: B48AC3904F: message-id=20170518141059.B48AC3904F@amnesiac.imrryr.org
May 18 10:10:59 amnesiac postfix/qmgr[17091]: B48AC3904F: from=<...>, size=316, nrcpt=1 (queue active)
May 18 10:11:00 amnesiac postfix/smtp[60315]: certificate verification failed for wrong.havedane.net[5.79.70.105]:25: untrusted issuer /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
May 18 10:11:00 amnesiac postfix/smtp[60315]: Untrusted TLS connection established to wrong.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 18 10:11:00 amnesiac postfix/smtp[60315]: B48AC3904F: to=probe-rcpt@wrong.havedane.net, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.2, delays=0.03/0.01/1.2/0, dsn=4.7.5, status=undeliverable (Server certificate not trusted)
May 18 10:11:01 amnesiac postfix/bounce[60328]: B48AC3904F: sender delivery status notification: 0CA8939052
May 18 10:11:01 amnesiac postfix/qmgr[17091]: B48AC3904F: removed

May 18 10:11:18 amnesiac postfix/pickup[60085]: D1FFC39054: uid=1001 from=<...>
May 18 10:11:18 amnesiac postfix/cleanup[60313]: D1FFC39054: message-id=20170518141118.D1FFC39054@amnesiac.imrryr.org
May 18 10:11:18 amnesiac postfix/qmgr[17091]: D1FFC39054: from=<...>, size=313, nrcpt=1 (queue active)
May 18 10:11:19 amnesiac postfix/smtp[60315]: Verified TLS connection established to do.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 18 10:11:19 amnesiac postfix/smtp[60315]: D1FFC39054: to=47e517f26634fd03@do.havedane.net, relay=do.havedane.net[5.79.70.105]:25, delay=1, delays=0/0/0.93/0.1, dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
May 18 10:11:19 amnesiac postfix/bounce[60328]: D1FFC39054: sender delivery status notification: F024239056
May 18 10:11:19 amnesiac postfix/qmgr[17091]: D1FFC39054: removed

May 18 10:11:36 amnesiac postfix/pickup[60085]: 8385E39058: uid=1001 from=<...>
May 18 10:11:36 amnesiac postfix/cleanup[60313]: 8385E39058: message-id=20170518141136.8385E39058@amnesiac.imrryr.org
May 18 10:11:36 amnesiac postfix/qmgr[17091]: 8385E39058: from=<...>, size=315, nrcpt=1 (queue active)
May 18 10:11:37 amnesiac postfix/smtp[60315]: Anonymous TLS connection established to dont.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
May 18 10:11:37 amnesiac postfix/smtp[60315]: 8385E39058: to=47e517f26634fd03@dont.havedane.net, relay=dont.havedane.net[5.79.70.105]:25, delay=1, delays=0/0/0.91/0.09, dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
May 18 10:11:37 amnesiac postfix/bounce[60328]: 8385E39058: sender delivery status notification: 99CC23905A
May 18 10:11:37 amnesiac postfix/qmgr[17091]: 8385E39058: removed

-- 
    Viktor.

Re: Test tool havedane.net and NCSC-NL factsheet on DANE

Viktor Dukhovni