By using DANE-TA(2) TLSA records you can associate your SMTP server with a either a public or private (your own) issuer CA. This can simplify the management of TLSA records of multiple MX hosts by using a CNAME to a common location where you publish the shared CA key hash.
Some care needs to be take to make sure that certificate chains issued by a private CA can be successfully validated by correctly configured DANE TLS clients.
1. Make sure the MX hostname of the end-entity server is one of the names in the subjectAltName extension of the server certificate. This is optional for DANE-EE(3), but is required for DANE-TA(2).
Some MX hosts are known by different names when serving different domains. I don't recommend this, but can't stop you from doing it. In that case, all the names should appear in the certificate, or (if using server-side SNI) each name should appear in the corresponding certificate.
2. Make sure that the server certificate is replaced in a timely manner before it expires. This is also optional with DANE-EE(3), and required with DANE-TA(2).
3. [The motivation for this message]. Use broadly accepted cryptographic algorithms and parameters. For example, recent versions of GnuTLS by default no longer accept SHA-1 signatures in certificate chains. Some versions of Exim that support DANE are linked with GnuTLS, and the Exim maintainers are not presently inclined to re-enable SHA-1 support. Therefore, sites using private CAs with SHA-1 signatures may encounter problems receiving some email. (Public CA/B forum CAs no longer issue SHA-1 certificates.)
For best interoperability use the SHA256 digest algorithm in certificate signatures.
For best interoperability, use RSA key sizes of at least 1280 bits, and no more than 4096. The most common choice is 2048-bits.
For ECDSA, stick with NIST P-256 (OpenSSL names for this ECDSA curve are prime256v1 and secp256r1).
Today (after most of the small number of domains using SHA-1 with private CAs re-issued their certificates) the DANE survey finds only one MX host of one domain with SHA-1 private-CA signatures:
semidefinite.de. IN MX 10 mail.semidefinite.de.
so the impact of the GnuTLS policy is low. With a bit of luck, this post will help others avoid the same issue, and perhaps also the postmaster of the above domain will see it on one of the dane-users, postfix-users or exim-users lists, so the number of affected domains may soon be zero.
participants (1)
-
Viktor Dukhovni