xs4all enabled DANE outgoing verification

Jan-Pieter Cornet johnpc at xs4all.net
Mon Sep 3 23:26:33 CEST 2018

On 3-9-18 13:58, Viktor Dukhovni wrote:
>> On smtp.xs4all.nl we enabled DANE outgoing verification[...]
> Great news, welcome to the club, and thanks!  When you do enable a default
> hardfail, you might consider exempting a particular sender address or subject
> tag, or perhaps a custom header:
> 	https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03#section-3
> so that you can still send email to the contacts of any domains that are
> failing, prior to disabling DANE for the domain for all senders.

Oh, that's a good idea. Implemented the "RequireTLS: NO" header now :)

> You might find that some domains have intermittent outages as a result of poorly
> executed key/cert rollovers where the TLSA records are updated *after* they first
> become invalid.  For any of those, soft fail may make sense until your logs show
> no failures for a year or more.

Hm, that requires quite a bit of state-keeping. Can such domains be added to the dane-fail list, or should those domains be put on another list? (dane-transient-failures?)

> Indeed the danefail list is not expected to be "complete".  If any of you run
> into domains for which you need to make an exception, please open an issue or
> pull request on github if unable to resolve with the remote domain.

I'll go over all the DANE logs in a few days, and see if any domains not on the dane-fail list show any errors. If I find any, I'll contact the domains and if necessary create a github pull request on the danefail list.

> For those publishing TLSA records for inbound DANE, please make *sure* that
> you're offering STARTTLS *unconditionally*, to all SMTP clients with no
> restrictions by client IP address or reputation.  Configurations that
> restrict STARTTLS to a set of "good" IPs are not compatible with DANE.
> If STARTTLS was disabled with some client IPs for interoperability reasons,
> resolve those first.

Thanks, I'll use your message to persuade any other domains that don't send me STARTTLS, if I find any :). If they do not respond, can I add those domains to the dane-fail list too? I understand that selectively offering STARTTLS is a lot harder to test for other people...

Jan-Pieter Cornet <johnpc at xs4all.net>
Systeembeheer XS4ALL Internet bv

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20180903/dc570179/attachment-0001.asc>

More information about the dane-users mailing list