DANE-SMTP enabled
After setting up my mail server I already set up SPF
, DKIM
, DMARC
and MTA-STS
but was not yet sure about how to
deal with DANE.
DANE
uses a TLSA
entry on the DNS
server to publish a services certificate or key. This means that a client can
verify that it is talking to the correct server without relying on any kind of CA. All this is based on
DNSSEC which ensures the authenticity and data
integrity of the DNS
entries.
While this concept in general is pretty neat, it has the requirement of DNS
entries to be updated when a certificate or
key changes. Additionally just simply updating an entry will no be enough, since other DNS
servers still might have the
old key cached. Therefore a more sophisticated rollover mechanism would be required. Due to the short life of
Let’s Encrypt certificates this is even more relevant.
Luckily Certbot provides the option --reuse-key
to circumvent the requirement of updating
the DNS
entries by reusing the existing key. Therefore a TLSA
entry can be generated from the current public key and
will not require updating as well since the key does not change.
For generation of an according TLSA
entry Shumon Huque has a very handy
TLSA Record Generator on his website.
The entry in this case must be for usage DANE-EE
with selector 1 - SPKI
. I use a SHA-256
hash and got following
result:
_25._tcp.vs.senvang.org. IN TLSA 3 1 1 (
5634d5e1ce5f1e4a8ab25cd8335c97ab76e1215e09c157568e5c9a3dc39a
a491
)
Alternatively you can generate the hash with openssl
:
openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin --outform der | sha256sum
Obviously this does not resolve the need for a clean rollover when a key change happens, but it massively reduces the frequency and therefore the risk and it gives me time to think about how to get this automated.