Test tool havedane.net and NCSC-NL factsheet on DANE

Viktor Dukhovni ietf-dane at dukhovni.org
Thu May 18 16:51:33 CEST 2017

> On May 18, 2017, at 3:23 AM, Bart Knubben <bart at knubben.org> wrote:
> 1. Check this new tool for testing if your mail server checks DANE
> when sending email: https://havedane.net

It is a step in the right direction, though testing should ultimately
be much more comprehensive.

	* Test that "expired" certificates are accepted with DANE-EE(3)

	* Test that matching hostnames are not required with DANE-EE(3)

	* Test multiple DANE-EE(3) SPKI(1) SHA2-256(1) records with
	  just one matching the chain.

	* Probe for digest agility support, test a working SHA2-512(2)
	  a non-working SHA2-256(1) and vice versa.

	* Test DANE-TA(2) support with TA certificate in the server chain

	* Test DANE-TA(2) with wildcard leaf certificate.

	* Test DANE-TA(2) with expired leaf certificates, or non-matching

	* Test optional DANE-TA(2) SPKI(1) Full(0) support with the trust
	  anchor public key in DNS and the full certificate NOT provided
          in the chain (Postfix supports this, other MTAs might not.  Per
	  RFC7671 support this corner case is optional, and servers MUST
	  include the trust anchor CA certificate in their chain.

	* Test support for a combination of a DANE-TA(2) and a DANE-EE(3)
	  (both cases).

	* Test TLSA record lookup failures (broken RRsig, broken denial of
	  existence, ...)

	* Test DNSSEC-signed domains with MX hostnames in an unsigned zone.
	  Their TLSA records should not be looked up (delegate "_tcp" to
          non-responding and perhaps query-logging servers, sender should
	  not be delayed by trying to look these up).


If you want to check that your Postfix is doing DANE minimally correctly
per this site, just try:

$ myemail=...
$ sendmail -bv -f $myemail probe-rcpt at wrong.havedane.net
$ sendmail -bv -f $myemail probe-rcpt at do.havedane.net
$ sendmail -bv -f $myemail probe-rcpt at dont.havedane.net

Then check your logs.  You should see something along the lines of:

May 18 10:10:59 amnesiac postfix/pickup[60085]: B48AC3904F: uid=1001 from=<...>
May 18 10:10:59 amnesiac postfix/cleanup[60313]: B48AC3904F: message-id=<20170518141059.B48AC3904F at amnesiac.imrryr.org>
May 18 10:10:59 amnesiac postfix/qmgr[17091]: B48AC3904F: from=<...>, size=316, nrcpt=1 (queue active)
May 18 10:11:00 amnesiac postfix/smtp[60315]: certificate verification failed for wrong.havedane.net[]:25: untrusted issuer /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me at myhost.mydomain
May 18 10:11:00 amnesiac postfix/smtp[60315]: Untrusted TLS connection established to wrong.havedane.net[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 18 10:11:00 amnesiac postfix/smtp[60315]: B48AC3904F: to=<probe-rcpt at wrong.havedane.net>, relay=wrong.havedane.net[]:25, delay=1.2, delays=0.03/0.01/1.2/0, dsn=4.7.5, status=undeliverable (Server certificate not trusted)
May 18 10:11:01 amnesiac postfix/bounce[60328]: B48AC3904F: sender delivery status notification: 0CA8939052
May 18 10:11:01 amnesiac postfix/qmgr[17091]: B48AC3904F: removed

May 18 10:11:18 amnesiac postfix/pickup[60085]: D1FFC39054: uid=1001 from=<...>
May 18 10:11:18 amnesiac postfix/cleanup[60313]: D1FFC39054: message-id=<20170518141118.D1FFC39054 at amnesiac.imrryr.org>
May 18 10:11:18 amnesiac postfix/qmgr[17091]: D1FFC39054: from=<...>, size=313, nrcpt=1 (queue active)
May 18 10:11:19 amnesiac postfix/smtp[60315]: Verified TLS connection established to do.havedane.net[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 18 10:11:19 amnesiac postfix/smtp[60315]: D1FFC39054: to=<47e517f26634fd03 at do.havedane.net>, relay=do.havedane.net[]:25, delay=1, delays=0/0/0.93/0.1, dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
May 18 10:11:19 amnesiac postfix/bounce[60328]: D1FFC39054: sender delivery status notification: F024239056
May 18 10:11:19 amnesiac postfix/qmgr[17091]: D1FFC39054: removed

May 18 10:11:36 amnesiac postfix/pickup[60085]: 8385E39058: uid=1001 from=<...>
May 18 10:11:36 amnesiac postfix/cleanup[60313]: 8385E39058: message-id=<20170518141136.8385E39058 at amnesiac.imrryr.org>
May 18 10:11:36 amnesiac postfix/qmgr[17091]: 8385E39058: from=<...>, size=315, nrcpt=1 (queue active)
May 18 10:11:37 amnesiac postfix/smtp[60315]: Anonymous TLS connection established to dont.havedane.net[]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
May 18 10:11:37 amnesiac postfix/smtp[60315]: 8385E39058: to=<47e517f26634fd03 at dont.havedane.net>, relay=dont.havedane.net[]:25, delay=1, delays=0/0/0.91/0.09, dsn=2.1.5, status=deliverable (250 2.1.5 Ok)
May 18 10:11:37 amnesiac postfix/bounce[60328]: 8385E39058: sender delivery status notification: 99CC23905A
May 18 10:11:37 amnesiac postfix/qmgr[17091]: 8385E39058: removed


More information about the dane-users mailing list