DANE-enabled SMTP test destination?
Hi All,
Does anyone know of an SMTP+DANE email reflector address where you can send test email to in order to validate proper SMTP client DANE behavior? No amount of creative Googling or the list archives seemed to surface an answer.
Something akin to this, albeit for DANE: http://www.port25.com/support/authentication-center/email-verification/
Sincerely,
Kevin San Diego
On Wed, Apr 08, 2015 at 05:36:03PM +0000, Kevin San Diego wrote:
Does anyone know of an SMTP+DANE email reflector address where you can send test email to in order to validate proper SMTP client DANE behavior?
What do you want the "reflector" to do? The "sink@dane.sys4.de" address will accept email, and your Postfix logs for a probe DSN report will show whether TLS verification for that domain succeeded.
$ sendmail -f postfix-users@dukhovni.org -bv sink@dane.sys4.de Mail Delivery Status Report will be mailed to postfix-users@dukhovni.org.
The attached DSN report shows the message queue-id, and the logs (find my "collate" perl script in the list archives) show.
Apr 8 17:47:22 mournblade postfix/pickup[25416]: 96F7F283034: uid=1034 from=postfix-users@dukhovni.org Apr 8 17:47:22 mournblade postfix/cleanup[24430]: 96F7F283034: message-id=20150408174722.96F7F283034@mournblade.imrryr.org Apr 8 17:47:22 mournblade postfix/qmgr[8720]: 96F7F283034: from=postfix-users@dukhovni.org, size=302, nrcpt=1 (queue active) Apr 8 17:47:25 mournblade postfix/smtp[9856]: Verified TLS connection established to dane.sys4.de[194.126.158.134]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Apr 8 17:47:25 mournblade postfix/smtp[9856]: 96F7F283034: to=sink@dane.sys4.de, relay=dane.sys4.de[194.126.158.134]:25, delay=2.8, delays=0.04/0.02/2.7/0.14, dsn=2.1.5, status=deliverable (250 2.1.5 Ok) Apr 8 17:47:25 mournblade postfix/bounce[26846]: 96F7F283034: sender delivery status notification: 84EBC283035 Apr 8 17:47:25 mournblade postfix/qmgr[8720]: 96F7F283034: removed
This was "Verified" so DANE worked as expected. Don't know of any SMTP domains with deliberately broken TLSA records for test purposes that should fail.
I don't think I should publish any of the (short) list of domains that are broken through negligence as appropriate targets of public tests.
-----Original Message----- From: dane-users-bounces@sys4.de [mailto:dane-users-bounces@sys4.de] On Behalf Of Viktor Dukhovni Sent: Wednesday, April 08, 2015 11:02 AM To: dane-users@sys4.de Subject: Re: DANE-enabled SMTP test destination?
On Wed, Apr 08, 2015 at 05:36:03PM +0000, Kevin San Diego wrote:
Does anyone know of an SMTP+DANE email reflector address where you can send test email to in order to validate proper SMTP client DANE behavior?
What do you want the "reflector" to do?
Ideally, the reflector would enable SMTP+DANE client and server validation tests. I could foresee the following functionality: - Have the several reflector sub-domains configured with various types of TLSA records on the domain MX records (PKIX-EE, DANE-TA, and DANE-EE) - Have an email address that maps to the various test domains to enable inbound testing using the various DANE validation types. - Upon successfully receiving a test message, the reflector MTA would respond to the original "From" address on the incoming mail, and provide the SMTP client cert data (if provided by the SMTP client). - When the email response is attempted, a DANE TLSA lookup for the recipient domain should be attempted. - If the "From" domain TLSA record doesn't exist for the recipient domain, or the TLSA validation fails, a message would be sent stating what the failure was. - If the "From" TLSA record exists and validation succeeds, a success message is sent to the client.
Sincerely,
Kevin San Diego
participants (2)
-
Kevin San Diego -
Viktor Dukhovni