DANE-enabled SMTP test destination?

Kevin San Diego ksandiego at cloudmark.com
Wed Apr 8 20:18:00 CEST 2015

> -----Original Message-----
> From: dane-users-bounces at sys4.de [mailto:dane-users-bounces at sys4.de] On
> Behalf Of Viktor Dukhovni
> Sent: Wednesday, April 08, 2015 11:02 AM
> To: dane-users at sys4.de
> Subject: Re: DANE-enabled SMTP test destination?
> On Wed, Apr 08, 2015 at 05:36:03PM +0000, Kevin San Diego wrote:
> > Does anyone know of an SMTP+DANE email reflector address where you can
> > send test email to in order to validate proper SMTP client DANE behavior?
> What do you want the "reflector" to do? 

Ideally, the reflector would enable SMTP+DANE client and server validation tests. I could foresee the following functionality:
- Have the several reflector sub-domains configured with various types of TLSA records on the domain MX records (PKIX-EE, DANE-TA, and DANE-EE)
- Have an email address that maps to the various test domains to enable inbound testing using the various DANE validation types.
- Upon successfully receiving a test message, the reflector MTA would respond to the original "From" address on the incoming mail, and provide the SMTP client cert data (if provided by the SMTP client).
- When the email response is attempted, a DANE TLSA lookup for the recipient domain should be attempted.
	- If the "From" domain TLSA record doesn't exist for the recipient domain, or the TLSA validation fails, a message would be sent stating what the failure was.
	- If the "From" TLSA record exists and validation succeeds, a success message is sent to the client.


Kevin San Diego

More information about the dane-users mailing list