Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DANE: implement DANE ... #409

Open
poolpOrg opened this issue Jan 22, 2014 · 14 comments
Open

DANE: implement DANE ... #409

poolpOrg opened this issue Jan 22, 2014 · 14 comments
Assignees

Comments

@poolpOrg
Copy link
Member

@poolpOrg poolpOrg commented Jan 22, 2014

We have to do it and our main competitor has it already ;-)

@poolpOrg poolpOrg self-assigned this Apr 29, 2015
@poolpOrg
Copy link
Member Author

@poolpOrg poolpOrg commented Apr 29, 2015

FWIW, I have made progress with this and I might be able to actually get initial support soon.

@poolpOrg
Copy link
Member Author

@poolpOrg poolpOrg commented Apr 30, 2015

on my laptop I can now DANE-verify the MX at mx1.poolp.org

Unfortunately, I won't be able to commit this quite yet:
1- the verify is only informative for now, just adds a debug line
2- due to the current lka/dns code, had to resort to a hack to get a callback executed ...
3- ... which made it clear some refactor is needed before this gets in
4- also, I currently only implemented all match types but only one usage / selector

Hopefully I should be done with the refactor in the next couple weeks and commit DANE to master/portable during May.

@reyk
Copy link
Contributor

@reyk reyk commented Oct 22, 2015

What happened to this?

@poolpOrg
Copy link
Member Author

@poolpOrg poolpOrg commented Oct 22, 2015

On Wed, Oct 21, 2015 at 11:47:15PM -0700, Reyk Floeter wrote:

What happened to this?

not much, i have a branch somewhere with dane support, but it was just a
poc, not the real deal:

1- we need to refactor lka.c a bit, the way it works today makes it hard
to implement dane without resorting to hacks (which I did in my poc).
i'll explain in further details if you're interested ;)

2- asr doesn't support DNSSEC so even when the smtpd part is ready there
is limited use to it until asr gains dnssec support.

gilles

Gilles Chehade

https://www.poolp.org @poolpOrg

@yonas
Copy link

@yonas yonas commented Jul 22, 2017

@poolpOrg DNSSEC support was added to libasr in March.

@poolpOrg poolpOrg added this to the OpenSMTPD 6.3.0 milestone Jul 27, 2017
@poolpOrg
Copy link
Member Author

@poolpOrg poolpOrg commented Jul 27, 2017

Resurrected experimental branch:
https://github.com/OpenSMTPD/OpenSMTPD/tree/DANE

DANE will not be ready for 6.2.0 but should be ready for 6.3.0

@johnjones
Copy link

@johnjones johnjones commented Jul 3, 2018

The Dutch and German governments have mandated the use of DANE for government email.
It would be awesome to have support in OpenSMTPD...

@cruvolo
Copy link

@cruvolo cruvolo commented Oct 18, 2018

The experimental DANE branch link is 404. Is there another branch maintained somewhere? Thanks.

@poolpOrg
Copy link
Member Author

@poolpOrg poolpOrg commented Jun 13, 2019

I have started implementing a standalone DANE resolver which still needs a bit of work before being brought in OpenSMTPD, but if you're curious search for poolpOrg/dane

@ngortheone ngortheone removed this from the OpenSMTPD 6.5.0 milestone Oct 31, 2019
@oldenj
Copy link

@oldenj oldenj commented Jun 2, 2020

I'm requiring TLS for all connections to/from my mailserver. Just now i had to email german police and this is the first time this policy failed, because they use a DANE CA (johnjones mentioned they have to). It would be cool to have the feature.

@whataboutpereira
Copy link

@whataboutpereira whataboutpereira commented Jun 2, 2020

I'm requiring TLS for all connections to/from my mailserver. Just now i had to email german police and this is the first time this policy failed, because they use a DANE CA (johnjones mentioned they have to). It would be cool to have the feature.

I tested running with TLS required as well some time ago - it resulted in mails lost from banks etc. that still aren't sending mail with TLS. :)

@oldenj
Copy link

@oldenj oldenj commented Jun 2, 2020

@whataboutpereira That's sad to hear. I don't know where you're from - in Germany there were quite strong efforts to have mail traffic encrypted and i have not missed mails so far. This DANE problem is the first issue and it's quite ironic in the sense that it's my end that is non compliant/compatible.

@whataboutpereira
Copy link

@whataboutpereira whataboutpereira commented Jun 2, 2020

@whataboutpereira That's sad to hear. I don't know where you're from

Estonia. The supposed IT country. I actually contacted a few of the places we were receiving unencrypted from, but banks were not amongst those who answered and fixed their setups. :)

@owenthewizard
Copy link

@owenthewizard owenthewizard commented Jun 17, 2020

Is this still on the map? Looks like it's been almost a year without any update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
10 participants
You can’t perform that action at this time.