What would you like to read about DANE on the test site?
Greetings,
one of the tasks until v1 is a page/are some pages, that lets visitors of the test site read more about DANE. What would you want to read about DANE?
Things that come to my mind are:
- What is DANE? - Which problems does it solve? - How does it work? - Which SMTP software supports DANE?
Please feel free to comment. I'd like to come up with something useful for those who want to read into DANE.
p@rick
On Wed, Jan 14, 2015 at 09:42:32AM +0100, Patrick Ben Koetter wrote:
- What is DANE?
- Which problems does it solve?
- How does it work?
- Which SMTP software supports DANE?
- s/SMTP// (why restrict it to SMTP?) - Implementation details / help / experience
* Eray Aslan eraya@a21an.org:
On Wed, Jan 14, 2015 at 09:42:32AM +0100, Patrick Ben Koetter wrote:
- What is DANE?
- Which problems does it solve?
- How does it work?
- Which SMTP software supports DANE?
- s/SMTP// (why restrict it to SMTP?)
Agreed. We're open to adopt other protocols.
We started with the goal to help people adopt DANE SMTP. We'd like to get that right first. Once we're done with our roadmap we may add more protocols, e.g. HTTPS.
- Implementation details / help / experience
THX
p@rick
On Wed, Jan 14, 2015 at 09:42:32AM +0100, Patrick Ben Koetter wrote:
- What is DANE?
- Which problems does it solve?
- How does it work?
- Which SMTP software supports DANE?
For people thinking about implementing DANE it may be useful to known who is already using DANE.
May be you can add some statistics like "uniqe successfully checked DANE domains". Or a list with all domains checked so far.
Or provide/link some numbers regarding adoption. May be a few domains can provide numbers on how many outgoing mail their systems is able to send using DANE. Or it may be possible to take a list of valid senders (dnswl.org) and check how many of their domains are DANEified.
Markus
* Markus Benning ich@markusbenning.de:
On Wed, Jan 14, 2015 at 09:42:32AM +0100, Patrick Ben Koetter wrote:
- What is DANE?
- Which problems does it solve?
- How does it work?
- Which SMTP software supports DANE?
For people thinking about implementing DANE it may be useful to known who is already using DANE.
May be you can add some statistics like "uniqe successfully checked DANE domains". Or a list with all domains checked so far.
Yep. DANE statistics are on our ROADMAP.
Or provide/link some numbers regarding adoption.
Yep.
May be a few domains can provide numbers on how many outgoing mail their systems is able to send using DANE. Or it may be possible to take a list of valid senders (dnswl.org) and check how many of their domains are DANEified.
That's a good idea, but probably a different project. You seem to be good at perl. Would you like to create a patch for pflogsum? I think this would be the right place to do this (and reuse what's there already).
p@rick
On Wed, Jan 14, 2015 at 10:53:56AM +0100, Patrick Ben Koetter wrote:
That's a good idea, but probably a different project. You seem to be good at perl. Would you like to create a patch for pflogsum? I think this would be the right place to do this (and reuse what's there already).
Here's a first version with TLS statistics:
https://markusbenning.de/tmp/pflogsumm
Try:
$ pflogsumm --tls-stats --smtpd-stats --smtp-detail=1 /var/log/mail.log
To see percent values --smtpd-stats or --smtp-detail=1 must be used.
Markus
* Markus Benning ich@markusbenning.de:
On Wed, Jan 14, 2015 at 10:53:56AM +0100, Patrick Ben Koetter wrote:
That's a good idea, but probably a different project. You seem to be good at perl. Would you like to create a patch for pflogsum? I think this would be the right place to do this (and reuse what's there already).
Here's a first version with TLS statistics:
https://markusbenning.de/tmp/pflogsumm
Try:
$ pflogsumm --tls-stats --smtpd-stats --smtp-detail=1 /var/log/mail.log
To see percent values --smtpd-stats or --smtp-detail=1 must be used.
Nice! What's error in "TLS Statistics"? Is it the cause of "0 incoming tls connections"?
TLS Statistics -------------- Use of uninitialized value $value in division (/) at ./pflogsumm line 1189, <> line 167203. 0 incoming tls connections (0.00% of 8915) 3438 outgoing tls connections
Outgoing TLS trust-level ------------------------ 2289 Untrusted 914 Verified 235 Trusted
Outgoing TLS Protocol Version ----------------------------- 2606 TLSv1 832 TLSv1.1
Outgoing TLS key length ----------------------- 3214 256 224 128
Outgoing TLS Ciphers -------------------- 1636 ECDHE-RSA-AES256-SHA 1469 DHE-RSA-AES256-SHA 127 AES128-SHA 97 ECDHE-RSA-AES128-SHA 69 AES256-SHA 40 DHE-RSA-CAMELLIA256-SHA
Markus
-- Markus Benning, https://markusbenning.de/
On Fri, Jan 16, 2015 at 09:54:09AM +0100, Patrick Ben Koetter wrote:
Nice! What's error in "TLS Statistics"? Is it the cause of "0 incoming tls connections"?
TLS Statistics
Use of uninitialized value $value in division (/) at ./pflogsumm line 1189, <> line 167203. 0 incoming tls connections (0.00% of 8915) 3438 outgoing tls connections
just fixed it.
Outgoing TLS trust-level
2289 Untrusted 914 Verified 235 Trusted
As far as i understand the docs with tls_security_level=dane it should mean:
Verified - DANE okay (or explicit policy map) Trusted - CA signed certificate Untrusted - unknown CA, selfsigned...
http://www.postfix.org/FORWARD_SECRECY_README.html
Markus
* Markus Benning ich@markusbenning.de:
On Fri, Jan 16, 2015 at 09:54:09AM +0100, Patrick Ben Koetter wrote:
Nice! What's error in "TLS Statistics"? Is it the cause of "0 incoming tls connections"?
TLS Statistics
Use of uninitialized value $value in division (/) at ./pflogsumm line 1189, <> line 167203. 0 incoming tls connections (0.00% of 8915) 3438 outgoing tls connections
just fixed it.
confirmed.
Outgoing TLS trust-level
2289 Untrusted 914 Verified 235 Trusted
As far as i understand the docs with tls_security_level=dane it should mean:
Verified - DANE okay (or explicit policy map) Trusted - CA signed certificate Untrusted - unknown CA, selfsigned...
Viktor might have a word on the subtle differences. ;)
p@rick
On Fri, Jan 16, 2015 at 10:41:27AM +0100, Markus Benning wrote:
[ Postfix-specific topic, if you're not a Postfix user, you can safely ignore this sub-thread. ]
Outgoing TLS trust-level
2289 Untrusted 914 Verified 235 Trusted
As far as i understand the docs with tls_security_level=dane it should mean:
Verified - DANE okay (or explicit policy map) Trusted - CA signed certificate Untrusted - unknown CA, selfsigned...
There's also "Anonymous". As for DANE, if the destination has TLSA records, you'll see "Verified" when it works, and "Untrusted" when it fails.
With the other security levels, you'll sometimes see "Trusted", when the chain is issued by a trusted CA (if you've configured any), but either peer checks fail or authentication is not required ("encrypt" or "may").
participants (4)
-
Eray Aslan -
Markus Benning -
Patrick Ben Koetter -
Viktor Dukhovni