TLS via SMTP is opportunistic which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, DANE could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified. Postfix was one of the first smtp-servers that implemented DANE since the author of the DANE protocol is a postfix-developer. This article describes how to enable DANE in postfix.
It’s very easy to enable DANE in postfix. First we have to ensure that postfix can resolve DNSsec queries. I recommend to install the dns-resolver “unbound” on the postfix-server. Unbound does DNSsec pretty well. It also automatically manages the trust-anchors for DNSsec. We can check if DNSsec works, if the “ad”-flag is set. So lets use dig to test it:
> DiG 9.9.5-9+deb8u15-Debian <<>> gov. +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35764 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gov. IN A
As we can see, the “ad”-flag was set. If we use a resolver without dnssec-support it would look like that:
% dig gov. +dnssec ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> gov. +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25074 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4000 ;; QUESTION SECTION: ;gov. IN A
As you can see, there is no “ad”-flag in this example. That indicates that DNSsec is not supported by the resolver.
As soon as we set up a resolver with dnssec-support, we can easily enable DANE in postfix:
# DANE-Settings smtp_dns_support_level=dnssec smtp_host_lookup=dns smtp_tls_security_level = dane smtp_tls_loglevel=1
Now postfix will always try to verify the TLS-connection using DANE. If you just want to enable DANE for specific domains, I’ll recommend have a look at the example in the postfix-documentation.
We can test DANE by sending Emails to a server that has TLSA-Records. There is a list of domains with TLSA-records at the end of this pdf. I just tested DANE by sending an email to a gmx.net-address:
May 12 21:26:59 mymailserver postfix/smtp: Verified TLS connection established to mx01.emig.gmx.net[126.96.36.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
The keyword “Verified” indicates that the TLS-connection could be verified.