Mail server admins might (will? should?) have heard of DANE. DANE (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions) are complementary security protocols that work together to secure internet communications, especially email.
In the hopes of bringing more awareness to DANE, and how to implement (and monitor, which is key!) DANE on large and small mail servers, the friendly folks at sys4.de have published a tool to help monitoring DANE.
May DANE spread far and wide - and may your self-signed certificates be verified and trusted via your DNSSEC-authenticated DNS records!
From a post by Patrick Ben Koetter to the DANE mailing list at sys4.de [0]:
Greetings!
Our this year's Christmas gift to the community is a service that let’s you
monitor and detect typical DANE related problems for DANE-enabled inbound SMTP
services. You can integrate the service in your own service environment or run
it as a docker container and poll it for test results from a monitoring service.
## Why?
We believe every platform should enable and use DANE. DANE is the missing
piece in TLS or as Wietse Venema once put it: „Encryption without
authentication is not 'security'. It just gives some privacy.“ DANE adds the
missing authentication bit. But DANE enforces strict policy and if your
platform fails inbound DANE-verification you will not receive email from those
platforms that enforce outbound DANE-verification. A failing DANE policy
imposes a production risk.
## Why would your platform fail DANE verification?
From discussions with Viktor about the statistics he generates at
https://stats.dnssec-tools.org/#/ we know that in most cases, when
DANE-enabled platforms fail DANE-verification, it is because the published
TLSA resource record(s) in DNS do not match one of the x509 certificate's
fingerprint.
We want everybody to benefit from the security DANE adds to TLS and not have
people look at it as a production risk! This is why we built the SMTP DANE
Verify service. It will test and detect common DANE policy problems. Using
SMTP DANE Verify everybody will be able to monitor their own (and other)
domains and raise an alarm in case the tested domain fails DANE verification.
## How would you use SMTP DANE Verify?
If you think SMTP DANE Verify is for you check out the project at
https://github.com/sys4/smtp-dane-verify. The project's README should give you
all the information you need to setup, run and integrate SMTP DANE Verify on
your platform.
On a sidenote: In case you are still in doubt if anyone should be using DANE at
all: the EU has launched a Multi-Stakeholder Working Group for Internet
Standards in the EU and DANE is a major item on the groups roadmap. Follow this
link to read more:
https://digital-strategy.ec.europa.eu/en/news/european-commi......
And that's it! We hope you will find it as useful as we do. Season greetings
to all of you. Peace on earth to all of us. o:)
Mail server admins might (will? should?) have heard of DANE. DANE (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions) are complementary security protocols that work together to secure internet communications, especially email.
In the hopes of bringing more awareness to DANE, and how to implement (and monitor, which is key!) DANE on large and small mail servers, the friendly folks at sys4.de have published a tool to help monitoring DANE.
May DANE spread far and wide - and may your self-signed certificates be verified and trusted via your DNSSEC-authenticated DNS records!
From a post by Patrick Ben Koetter to the DANE mailing list at sys4.de [0]:
Greetings!
Our this year's Christmas gift to the community is a service that let’s you monitor and detect typical DANE related problems for DANE-enabled inbound SMTP services. You can integrate the service in your own service environment or run it as a docker container and poll it for test results from a monitoring service.
## Why? We believe every platform should enable and use DANE. DANE is the missing piece in TLS or as Wietse Venema once put it: „Encryption without authentication is not 'security'. It just gives some privacy.“ DANE adds the missing authentication bit. But DANE enforces strict policy and if your platform fails inbound DANE-verification you will not receive email from those platforms that enforce outbound DANE-verification. A failing DANE policy imposes a production risk.
## Why would your platform fail DANE verification? From discussions with Viktor about the statistics he generates at https://stats.dnssec-tools.org/#/ we know that in most cases, when DANE-enabled platforms fail DANE-verification, it is because the published TLSA resource record(s) in DNS do not match one of the x509 certificate's fingerprint.
We want everybody to benefit from the security DANE adds to TLS and not have people look at it as a production risk! This is why we built the SMTP DANE Verify service. It will test and detect common DANE policy problems. Using SMTP DANE Verify everybody will be able to monitor their own (and other) domains and raise an alarm in case the tested domain fails DANE verification.
## How would you use SMTP DANE Verify? If you think SMTP DANE Verify is for you check out the project at https://github.com/sys4/smtp-dane-verify. The project's README should give you all the information you need to setup, run and integrate SMTP DANE Verify on your platform.
On a sidenote: In case you are still in doubt if anyone should be using DANE at all: the EU has launched a Multi-Stakeholder Working Group for Internet Standards in the EU and DANE is a major item on the groups roadmap. Follow this link to read more: https://digital-strategy.ec.europa.eu/en/news/european-commi......
And that's it! We hope you will find it as useful as we do. Season greetings to all of you. Peace on earth to all of us. o:)
p@rick
[0]: https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de...