Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for DNS-based Authentication of Named Entities #1944

Open
renne opened this issue Feb 8, 2020 · 0 comments
Open

Add support for DNS-based Authentication of Named Entities #1944

renne opened this issue Feb 8, 2020 · 0 comments

Comments

@renne
Copy link

@renne renne commented Feb 8, 2020

Is your feature request related to a problem? Please describe.
The german data privacy seal requires DNS-based Authentication of Named Entities for email transport.

Describe the solution you'd like
Check-boxes to enable DNSSEC and DANE in the webadmin of Zentyal.

Required steps:

  1. Enable DNSSEC signing on the primary nameserver
  2. Handover Key-Signing public key to the domain registry
  3. Enable DNSSEC validation in the DNS-resolver (BIND9)
  4. Create Let's encrypt certificate:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-dns-rfc2136 hash-slinger
  1. Create Certbot RFC2136 INI-file
sudo certbot obtain --noninteractive --preferred-challenges dns --agree-tos --rsa-key-size 4096 --cert-path /etc/ssl/certs/ --key-path /etc/ssl/private/ --dns-rfc2136 --dns-rfc2136-credentials <RFC 2136 credentials INI file> --domains '<mydomain1.tld>','<*.mydomain1.tld>','<mydomain2.tld>',<*.mydomain2.tld','<...>'
  1. Enable TLS certificate and DANE in Postfix stub:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
  1. Configure /etc/ssl/certs/<certname> and /etc/ssl/keys/<certname> in stubs:

For the Zentyal Webadmin module: /usr/share/zentyal/stubs/core/nginx.conf.mas .
For the Zentyal Mail (SMTP) module: /usr/share/zentyal/stubs/mail/main.cf.mas .
For the Zentyal Mail (IMAP/POP) module: /usr/share/zentyal/stubs/mail/dovecot.conf.mas .
For the Zentyal Sogo module: /etc/apache2/sites-enabled/default-ssl.conf .
For the Zentyal Jabber module: /usr/share/zentyal/stubs/jabber/ejabberd.yml.mas .

  1. Add TLSA resource records to DNS zone:
nsupdate -k /etc/bind/rndc.key -l update add `tlsa --create --protocol tcp --port 443 --certificate /etc/ssl/certs/<certname> --output rfc --usage 3 --selector 1 --mtype 1 '<mydomain1.tld>'` update add _<port>.<protocol>.<myhost>.<mydomain1.tld> IN CNAME _443._tcp.<mydomain1.tld> <...>

Describe alternatives you've considered
Doing all steps manually. :-(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.