DANE: implement DANE ...

[poolpOrg]

We have to do it and our main competitor has it already ;-)

[poolpOrg]

FWIW, I have made progress with this and I might be able to actually get initial support soon.

[poolpOrg]

on my laptop I can now DANE-verify the MX at mx1.poolp.org

Unfortunately, I won't be able to commit this quite yet:
1- the verify is only informative for now, just adds a debug line
2- due to the current lka/dns code, had to resort to a hack to get a callback executed ...
3- ... which made it clear some refactor is needed before this gets in
4- also, I currently only implemented all match types but only one usage / selector

Hopefully I should be done with the refactor in the next couple weeks and commit DANE to master/portable during May.

[reyk]

What happened to this?

[poolpOrg]

On Wed, Oct 21, 2015 at 11:47:15PM -0700, Reyk Floeter wrote:

What happened to this?

not much, i have a branch somewhere with dane support, but it was just a
poc, not the real deal:

1- we need to refactor lka.c a bit, the way it works today makes it hard
to implement dane without resorting to hacks (which I did in my poc).
i'll explain in further details if you're interested ;)

2- asr doesn't support DNSSEC so even when the smtpd part is ready there
is limited use to it until asr gains dnssec support.

gilles

Gilles Chehade

https://www.poolp.org @poolpOrg

[yonas]

@poolpOrg DNSSEC support was added to libasr in March.

[poolpOrg]

Resurrected experimental branch:
https://github.com/OpenSMTPD/OpenSMTPD/tree/DANE

DANE will not be ready for 6.2.0 but should be ready for 6.3.0

[johnjones]

The Dutch and German governments have mandated the use of DANE for government email.
It would be awesome to have support in OpenSMTPD...

[cruvolo]

The experimental DANE branch link is 404. Is there another branch maintained somewhere? Thanks.

[poolpOrg]

I have started implementing a standalone DANE resolver which still needs a bit of work before being brought in OpenSMTPD, but if you're curious search for poolpOrg/dane

[oldenj]

I'm requiring TLS for all connections to/from my mailserver. Just now i had to email german police and this is the first time this policy failed, because they use a DANE CA (johnjones mentioned they have to). It would be cool to have the feature.

[whataboutpereira]

I'm requiring TLS for all connections to/from my mailserver. Just now i had to email german police and this is the first time this policy failed, because they use a DANE CA (johnjones mentioned they have to). It would be cool to have the feature.

I tested running with TLS required as well some time ago - it resulted in mails lost from banks etc. that still aren't sending mail with TLS. :)

[oldenj]

@whataboutpereira That's sad to hear. I don't know where you're from - in Germany there were quite strong efforts to have mail traffic encrypted and i have not missed mails so far. This DANE problem is the first issue and it's quite ironic in the sense that it's my end that is non compliant/compatible.

[whataboutpereira]

@whataboutpereira That's sad to hear. I don't know where you're from

Estonia. The supposed IT country. I actually contacted a few of the places we were receiving unencrypted from, but banks were not amongst those who answered and fixed their setups. :)

[owenthewizard]

Is this still on the map? Looks like it's been almost a year without any update.

[1d01t]

I really love OpenSMTPD mail server. Thanks for your great work :)

I also would really love it to be able to use DANE in conjunction with OpenSMTPD.
Can you tell, if there is a plan to realize this in common releases?