Skip to content

Enforce DANE policy #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
foxcpp opened this issue Apr 14, 2019 · 7 comments
Closed

Enforce DANE policy #50

foxcpp opened this issue Apr 14, 2019 · 7 comments
Labels
mta-out Related to MSA or outgoing message processing part of MTA functionality. new feature New feature. security Related to security measures.

Comments

@foxcpp
Copy link
Owner

foxcpp commented Apr 14, 2019
edited
Loading

It would be nice to support DANE in addition to MTA-STS to increase interoperability.

Again, there are two sides in DANE support:

  • Check DANE for remote MTAs
  • Check if we have DANE record and reject unencrypted MTA connections.

https://tools.ietf.org/html/rfc7672
@emersion
Copy link
Collaborator

DANE requires DNSSEC right?

@emersion emersion added the new feature New feature. label Apr 14, 2019
@foxcpp
Copy link
Owner Author

foxcpp commented Apr 14, 2019

Yep.

@foxcpp foxcpp added security Related to security measures. smtp labels Apr 14, 2019
@foxcpp
Copy link
Owner Author

foxcpp commented Apr 14, 2019

Perhaps we should include a small DNSSEC-enabled resolver in maddy. This will also make things slightly more secure in general.

@emersion
Copy link
Collaborator

I wonder how this could integrate with the Go standard library. Is there a way to override the resolver?

@foxcpp
Copy link
Owner Author

foxcpp commented Apr 14, 2019

It doesn't seem to be possible, sadly.

@emersion
Copy link
Collaborator

golang/go#13279

@foxcpp
Copy link
Owner Author

foxcpp commented Apr 21, 2019

I would count this as a low-priority issue, after some research I found out that DANE is much less widely deployed then MTA-STS (to the point where it took a lot of effort to find ONE domain with a TLSA record).

@foxcpp foxcpp mentioned this issue May 19, 2019
Closed
@foxcpp foxcpp added mta-out Related to MSA or outgoing message processing part of MTA functionality. and removed smtp labels May 25, 2019
@foxcpp foxcpp mentioned this issue Jun 8, 2019
Closed
40 tasks
@foxcpp foxcpp mentioned this issue Dec 9, 2019
Closed
@foxcpp foxcpp closed this as completed in c7f3e0c Dec 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
mta-out Related to MSA or outgoing message processing part of MTA functionality. new feature New feature. security Related to security measures.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emersion @foxcpp