As you're may be aware, I actively promote adoption of DANE SMTP, many thanks to everyone who's moved forward with DANE SMTP deployment!
That said, I also always stress that, when deploying DANE SMTP, *monitoring* must come first, and publishing of DANE TLSA records second. If your DANE TLSA deployment is unmonitored, it will some day fail, with you being the last to know that something is wrong when some email fails to arrive on time or at all. Unmonitored security is a ticking time-bomb.
Please implement monitoring of your DANE TLSA records vs. the live certificate chain through regular probing of your MX hosts (I'd suggest hourly if not more often for more critical servers). Of course you also need to have good automation of the certificate rollover process so that normally TLSA records aren't out sync with the certificates even during a rollover.
If you don't yet have monitoring in place, the below could be a useful building block for your monitoring scripts.
The "danesmtp" shell (bash) function can take an optional explicit IP address to connect to, so you can test each of the IP addresses of a host in turn:
danesmtp () { local OPTIND=1 opt local -a rrs sslopts local rr i=0 host addr while getopts a: opt; do case $opt in a) addr=$OPTARG case $addr in *:*) addr="[$addr]";; esac;; *) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n' return 1;; esac done shift $((OPTIND - 1)) host=$1 shift if [[ -z "$addr" ]]; then addr="$host" fi sslopts=(-starttls smtp -connect "$addr:25" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host") rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$') ) while (( i < ${#rrs[@]} - 3 )); do rr=${rrs[@]:$i:4} i=$((i+4)) sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr") done ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@" }
Hi Viktor, do you have a list of which mailbox providers are actively supporting DANE at the moment?
Mike
-----Original Message----- From: Viktor Dukhovni ietf-dane@dukhovni.org Sent: Friday, August 25, 2023 5:12 PM To: dane-users@list.sys4.de Subject: DANE monitoring building block: "danesmtp" shell function
As you're may be aware, I actively promote adoption of DANE SMTP, many thanks to everyone who's moved forward with DANE SMTP deployment!
That said, I also always stress that, when deploying DANE SMTP, *monitoring* must come first, and publishing of DANE TLSA records second. If your DANE TLSA deployment is unmonitored, it will some day fail, with you being the last to know that something is wrong when some email fails to arrive on time or at all. Unmonitored security is a ticking time-bomb.
Please implement monitoring of your DANE TLSA records vs. the live certificate chain through regular probing of your MX hosts (I'd suggest hourly if not more often for more critical servers). Of course you also need to have good automation of the certificate rollover process so that normally TLSA records aren't out sync with the certificates even during a rollover.
If you don't yet have monitoring in place, the below could be a useful building block for your monitoring scripts.
The "danesmtp" shell (bash) function can take an optional explicit IP address to connect to, so you can test each of the IP addresses of a host in turn:
danesmtp () { local OPTIND=1 opt local -a rrs sslopts local rr i=0 host addr while getopts a: opt; do case $opt in a) addr=$OPTARG case $addr in *:*) addr="[$addr]";; esac;; *) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n' return 1;; esac done shift $((OPTIND - 1)) host=$1 shift if [[ -z "$addr" ]]; then addr="$host" fi sslopts=(-starttls smtp -connect "$addr:25" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host") rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$') ) while (( i < ${#rrs[@]} - 3 )); do rr=${rrs[@]:$i:4} i=$((i+4)) sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr") done ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@" }
On Wed, Aug 30, 2023 at 02:28:43PM +0000, Mike Hillyer wrote:
Hi Viktor, do you have a list of which mailbox providers are actively supporting DANE at the moment?
Yes, I have a partial list. It isn't always obvious from the survey data which operators are "mailbox providers". The said, below is what I (roughly ordered by time of adoption):
- dukhovni.org (I host my own mail for just under 10 users. :-) - posteo.de - mailbox.org - comcast.net - gmx.de - web.de - tutanota.de - protonmail.ch - ...
I am surely forgetting to mention some that should be mentioned, please let me know which additional mailbox providers I should have listed. You can always check the status of a given domain (by domain, not MX host) at:
https://stats.dnssec-tools.org/explore?.
Also, the below "top 20" host many DANE-enabled domains, but may or may not offer consumer mailboxes hosted on one of their domains:
1,328,840 one.com 300,932 hostpoint.ch 205,749 infomaniak.ch 171,658 transip.nl 168,485 mijndomein.nl 150,828 jouwweb.nl 144,209 argewebhosting.nl 132,395 simply.com 111,032 hostnet.nl 109,693 domeneshop.no 105,917 loopia.se 91,311 webhostingserver.nl 83,081 forpsi.com 76,639 zxcs.nl 43,300 protonmail.ch 40,487 antagonist.nl 39,763 active24.com 37,580 webreus.nl 30,428 pcextreme.nl 28,690 xel.nl
For more hoster data, see:
https://dnssec-stats.ant.isi.edu/~viktor/hosters.html
Thank you, we're getting DANE on the roadmap for our MTA and this is very helpful.
Mike
-----Original Message----- From: Viktor Dukhovni ietf-dane@dukhovni.org Sent: Wednesday, August 30, 2023 11:07 AM To: dane-users@list.sys4.de Subject: Re: DANE monitoring building block: "danesmtp" shell function
On Wed, Aug 30, 2023 at 02:28:43PM +0000, Mike Hillyer wrote:
Hi Viktor, do you have a list of which mailbox providers are actively supporting DANE at the moment?
Yes, I have a partial list. It isn't always obvious from the survey data which operators are "mailbox providers". The said, below is what I (roughly ordered by time of adoption):
- dukhovni.org (I host my own mail for just under 10 users. :-) - posteo.de - mailbox.org - comcast.net - gmx.de - web.de - tutanota.de - protonmail.ch - ...
I am surely forgetting to mention some that should be mentioned, please let me know which additional mailbox providers I should have listed. You can always check the status of a given domain (by domain, not MX host) at:
https://stats.dnssec-tools.org/explore?.
Also, the below "top 20" host many DANE-enabled domains, but may or may not offer consumer mailboxes hosted on one of their domains:
1,328,840 one.com 300,932 hostpoint.ch 205,749 infomaniak.ch 171,658 transip.nl 168,485 mijndomein.nl 150,828 jouwweb.nl 144,209 argewebhosting.nl 132,395 simply.com 111,032 hostnet.nl 109,693 domeneshop.no 105,917 loopia.se 91,311 webhostingserver.nl 83,081 forpsi.com 76,639 zxcs.nl 43,300 protonmail.ch 40,487 antagonist.nl 39,763 active24.com 37,580 webreus.nl 30,428 pcextreme.nl 28,690 xel.nl
For more hoster data, see:
https://dnssec-stats.ant.isi.edu/~viktor/hosters.html
Hi,
You can also find a (non-exhaustive) list on https://github.com/baknu/DANE-for-SMTP/wiki/3.-Software-and-service-support
Great, thanks!
-----Original Message----- From: Knubben, Bart bart.knubben@forumstandaardisatie.nl Sent: Wednesday, August 30, 2023 11:20 AM To: Mike Hillyer mike@mikehillyer.com Cc: dane-users@list.sys4.de Subject: RE: DANE monitoring building block: "danesmtp" shell function
Hi,
You can also find a (non-exhaustive) list on https://github.com/baknu/DANE-for-SMTP/wiki/3.-Software-and-service-support
-- Regards,
Bart
-----Oorspronkelijk bericht----- Van: Mike Hillyer mike@mikehillyer.com Verzonden: woensdag 30 augustus 2023 17:09 Aan: dane-users@list.sys4.de Onderwerp: RE: DANE monitoring building block: "danesmtp" shell function
Thank you, we're getting DANE on the roadmap for our MTA and this is very helpful.
Mike
-----Original Message----- From: Viktor Dukhovni ietf-dane@dukhovni.org Sent: Wednesday, August 30, 2023 11:07 AM To: dane-users@list.sys4.de Subject: Re: DANE monitoring building block: "danesmtp" shell function
On Wed, Aug 30, 2023 at 02:28:43PM +0000, Mike Hillyer wrote:
Hi Viktor, do you have a list of which mailbox providers are actively supporting DANE at the moment?
Yes, I have a partial list. It isn't always obvious from the survey data which operators are "mailbox providers". The said, below is what I (roughly ordered by time of adoption):
- dukhovni.org (I host my own mail for just under 10 users. :-) - posteo.de - mailbox.org - comcast.net - gmx.de - web.de - tutanota.de - protonmail.ch - ...
I am surely forgetting to mention some that should be mentioned, please let me know which additional mailbox providers I should have listed. You can always check the status of a given domain (by domain, not MX host) at:
https://stats.dnssec-tools.org/explore?.
Also, the below "top 20" host many DANE-enabled domains, but may or may not offer consumer mailboxes hosted on one of their domains:
1,328,840 one.com 300,932 hostpoint.ch 205,749 infomaniak.ch 171,658 transip.nl 168,485 mijndomein.nl 150,828 jouwweb.nl 144,209 argewebhosting.nl 132,395 simply.com 111,032 hostnet.nl 109,693 domeneshop.no 105,917 loopia.se 91,311 webhostingserver.nl 83,081 forpsi.com 76,639 zxcs.nl 43,300 protonmail.ch 40,487 antagonist.nl 39,763 active24.com 37,580 webreus.nl 30,428 pcextreme.nl 28,690 xel.nl
For more hoster data, see:
https://dnssec-stats.ant.isi.edu/~viktor/hosters.html
-- Viktor.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
Thanks for the comprehensive explanations.
To monitor my SMTP with Nagois/Icinga2, I found
https://github.com/matteocorti/check_ssl_cert
useful, as it has options to check the different TLSA entries.
On Sun, Feb 18, 2024 at 08:07:26PM +0100, Andreas Klein via dane-users wrote:
Thanks for the comprehensive explanations.
To monitor my SMTP with Nagois/Icinga2, I found
https://github.com/matteocorti/check_ssl_cert
useful, as it has options to check the different TLSA entries.
Wow! That shell script is 7327 lines long!
Here's an update for danesmtp() that adds a "-u <usages>" option. The default list of usages is "23", but you can specify just "3" or just "2" (or for some reason choose to support WebPKI with "0123", ...). This is now 40 lines long. :-)
danesmtp () { local OPTIND=1 opt local -a rrs sigs sslopts local rr i=0 host addr usages=23 local rsa=rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512 local ecdsa=ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
while getopts a:u:s: opt; do case $opt in a) addr=$OPTARG case $addr in *:*) addr="[$addr]";; esac;; u) usages=$OPTARG;; s) case $OPTARG in rsa|RSA) sigs=("-sigalgs" "$rsa" -cipher aRSA);; ecdsa|ECDSA) sigs=("-sigalgs" "$ecdsa" -cipher aECDSA);; *) printf '%s: Only RSA and ECDSA signatures supported\n' "$0" return 1;; esac;; *) printf 'usage: danesmtp [-a addr] [-u usages] [-k rsa|ecdsa] host [ssloption ...]\n' return 1;; esac done shift $((OPTIND - 1)) host=$1 shift if [[ -z "$addr" ]]; then addr="$host" fi sslopts=(-starttls smtp -connect "$addr:25" "${sigs[@]}" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host") rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei "^[$usages]"' [01] [012] [0-9a-f]+$') ) while (( i < ${#rrs[@]} - 3 )); do rr=${rrs[@]:$i:4} i=$((i+4)) sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr") done ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@" }
Admittedly, this does not have any Icinga-specific signalling, so if more than an return code is required, some more glue would be needed.
participants (4)
-
Andreas Klein
-
Knubben, Bart
-
Mike Hillyer
-
Viktor Dukhovni