FUN WITH LINUX

Postfix: verified TLS with DANE

14 May 2018

TLS via SMTP is opportunistic which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, DANE could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified. Postfix was one of the first smtp-servers that implemented DANE since the author of the DANE protocol is a postfix-developer. This article describes how to enable DANE in postfix.

Preconditions

It’s very easy to enable DANE in postfix. First we have to ensure that postfix can resolve DNSsec queries. I recommend to install the dns-resolver “unbound” on the postfix-server. Unbound does DNSsec pretty well. It also automatically manages the trust-anchors for DNSsec. We can check if DNSsec works, if the “ad”-flag is set. So lets use dig to test it:

> DiG 9.9.5-9+deb8u15-Debian <<>> gov. +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35764
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov. IN	A

As we can see, the “ad”-flag was set. If we use a resolver without dnssec-support it would look like that:

% dig gov. +dnssec   

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gov. +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25074
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;gov. IN	A

As you can see, there is no “ad”-flag in this example. That indicates that DNSsec is not supported by the resolver.

Postfix-config

As soon as we set up a resolver with dnssec-support, we can easily enable DANE in postfix:

# DANE-Settings 
smtp_dns_support_level=dnssec 
smtp_host_lookup=dns 
smtp_tls_security_level = dane 
smtp_tls_loglevel=1 

Now postfix will always try to verify the TLS-connection using DANE. If you just want to enable DANE for specific domains, I’ll recommend have a look at the example in the postfix-documentation.

Test

We can test DANE by sending Emails to a server that has TLSA-Records. There is a list of domains with TLSA-records at the end of this pdf. I just tested DANE by sending an email to a gmx.net-address:

May 12 21:26:59 mymailserver postfix/smtp[3064]: Verified TLS connection established to mx01.emig.gmx.net[212.227.17.5]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

The keyword “Verified” indicates that the TLS-connection could be verified.

[ Linux  Mail  Sysadmin  Security  Email  Crypto  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-2021 Hoti