xs4all enabled DANE outgoing verification
Jan-Pieter Cornet
johnpc at xs4all.net
Mon Sep 3 23:26:33 CEST 2018
On 3-9-18 13:58, Viktor Dukhovni wrote:
>> On smtp.xs4all.nl we enabled DANE outgoing verification[...]
>
> Great news, welcome to the club, and thanks! When you do enable a default
> hardfail, you might consider exempting a particular sender address or subject
> tag, or perhaps a custom header:
>
> https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03#section-3
>
> so that you can still send email to the contacts of any domains that are
> failing, prior to disabling DANE for the domain for all senders.
Oh, that's a good idea. Implemented the "RequireTLS: NO" header now :)
> You might find that some domains have intermittent outages as a result of poorly
> executed key/cert rollovers where the TLSA records are updated *after* they first
> become invalid. For any of those, soft fail may make sense until your logs show
> no failures for a year or more.
Hm, that requires quite a bit of state-keeping. Can such domains be added to the dane-fail list, or should those domains be put on another list? (dane-transient-failures?)
> Indeed the danefail list is not expected to be "complete". If any of you run
> into domains for which you need to make an exception, please open an issue or
> pull request on github if unable to resolve with the remote domain.
I'll go over all the DANE logs in a few days, and see if any domains not on the dane-fail list show any errors. If I find any, I'll contact the domains and if necessary create a github pull request on the danefail list.
> For those publishing TLSA records for inbound DANE, please make *sure* that
> you're offering STARTTLS *unconditionally*, to all SMTP clients with no
> restrictions by client IP address or reputation. Configurations that
> restrict STARTTLS to a set of "good" IPs are not compatible with DANE.
> If STARTTLS was disabled with some client IPs for interoperability reasons,
> resolve those first.
Thanks, I'll use your message to persuade any other domains that don't send me STARTTLS, if I find any :). If they do not respond, can I add those domains to the dane-fail list too? I understand that selectively offering STARTTLS is a lot harder to test for other people...
--
Jan-Pieter Cornet <johnpc at xs4all.net>
Systeembeheer XS4ALL Internet bv
www.xs4all.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20180903/dc570179/attachment-0001.asc>
More information about the dane-users
mailing list