909-546-4700

2018-10-22 DANE, sendmail, openssl, TLSv1.3

Introduction

See my earlier entry for reasons to use DANE. The German Federal Office for Information Security recently published their requirements for secure transport of email. NIST recently published a document on email security, which advocates the use of DANE. The following organizations now publish TLSA records for their mail servers:

a21an.org 3 1 1
aanbodpagina.nl 3 0 1
alerts.comcast.net 3 0 1
allard.it 3 0 1
aminor.no 3 1 1
anubisnetworks.com 3 1 1
apnic.net 3 1 1
arminpech.de 2 1 1
artcom.de 3 1 1
augustin.pl 3 1 1
backschues.de 3 1 1
bakker.net 1 0 1
bayern.de 3 0 1
beerstra.org 3 1 2
bk-mail.com 3 0 1
bmwl.co 3 1 1
bogus.com 3 1 1
bund.de 3 0 1
byington.org 3 0 1
calcite.rhyolite.com 3 1 1
cesnet.cz 2 0 1
chaos1.de 3 0 1
cip.cs.fau.de 3 1 1
cip.cs.fau.de 3 1 2
comcast.net 3 1 1
consultant.com 3 1 1
crossivity.com 3 0 1
cs.fau.de 3 1 1
cs.fau.de 3 1 2
cybergal.com 3 1 1
debian.org 3 1 1
defcon.org 3 1 1
dekkers.ch 3 0 1
dk-hostmaster.dk 3 0 1
dns-oarc.net 3 0 1
dukhovni.org 3 1 1
earthling.net 3 1 1
edup.tudelft.nl 2 1 1
edup.tudelft.nl 3 1 1
email.com 3 1 1
esmtp.org 3 1 1
ethgen.de 3 0 1
fire.lp0.eu 3 1 2
five-ten-sg.com 3 0 1
freebsd.org 3 1 1
freenet.de 3 1 1
frm2.tu-muenchen.de 3 1 1
gallische-dorp.net 3 0 1
giesen.me 3 1 2
gluping.no 3 1 1
gmx.at 3 1 1
gmx.ch 3 1 1
gmx.com 3 1 1
gmx.co.uk 3 1 1
gmx.de 3 1 1
gmx.it 3 1 1
gmx.net 3 1 1
gmxpro.net 3 1 1
gmx-topmail.de 3 1 1
gmx.us 3 1 1
gohost.cz 3 1 1
gozmail.net 3 1 2
gtaylor.tnetconsulting.net 3 1 1
hansenpartnership.com 3 1 1
hauke-m.de 3 1 1
heikorichter.name 3 0 1
heinlein-support.de 3 1 1
horde.net 3 0 1
ietf.org 3 1 1
iki.fi 2 0 1
iname.com 3 1 1
incertum.net 2 1 1
informatik.uni-erlangen.de 3 1 1
informatik.uni-erlangen.de 3 1 2
infracaninophile.co.uk 3 1 1
intershop.de 3 0 2
isc.org 3 0 1
iwmail.com 3 1 1
jasperalblas.nl 3 0 1
jauu.net 3 1 1
jhcloos.com 3 1 1
johani.org 3 1 1
jpbe.de 3 1 1
jpberlin.de 3 0 1
jpberlin.de 3 1 1
kabelmail.de 3 0 1
kania-online.de 3 1 1
karotte.org 3 1 1
keemail.me 3 0 1
killian.com 3 0 1
klam.ca 3 1 1
kolabsys.com 3 0 1
lavabit.com 3 0 1
leonweber.de 3 0 1
leuxner.net 3 1 1
lists.grepular.com 2 1 1
lists.isc.org 3 0 1
lists.microscopium.de 3 0 1
lists.samba.org 2 1 1
lists.samba.org 3 0 1
lothlorien.ca 3 1 1
lrz.de 3 1 1
mailbox.org 3 1 1
mail.com 3 1 1
mail.de 3 1 1
mail.org 3 1 1
mgm51.com 3 1 1
microscopium.de 3 0 1
mindless.com 3 1 1
mkbbelangen.nl 3 0 1
ml.karotte.org 3 1 1
monksofcool.net 2 1 1
mork.no 3 1 1
mortis.eu 3 1 1
mykolab.com 3 0 1
nerd-residenz.de 3 1 1
netassist.ua 3 0 1
netbsd.org 3 1 1
netherlabs.nl 3 1 2
nic.br 3 1 1
nic.cz 3 1 1
nic.fr 3 0 1
nikhef.nl 2 1 1
nikhef.nl 3 1 1
nlnetlabs.nl 3 1 1
noordervliet.net 2 1 1
null.net 3 1 1
offerman.com 3 0 1
open.ch 2 1 1
open.ch 3 1 1
openssl.org 3 1 1
open-xchange.com 3 0 1
pahem.de 3 1 1
posix.co.za 3 1 1
posteo.de 3 1 1
posteo.se 3 1 1
powerdns.com 3 1 1
powerdns.com 3 1 2
prime.gushi.org 3 0 1
programmer.net 3 1 1
psg.com 3 1 1
quux.de 2 0 2
registro.br 3 1 1
rellim.com 3 1 1
rhrk.uni-kl.de 3 0 1
rhyolite.com 3 1 1
roeckx.be 3 1 1
rshell.org 3 1 1
rtp-net.org 3 1 2
rub.de 3 0 1
samba.org 2 1 1
samba.org 3 0 1
sandwich.net 3 1 1
schildbach.de 3 1 1
semperen.com 3 1 1
sidn.nl 3 1 1
sigma-chemnitz.de 2 0 1
smart.ms 3 1 1
sotecware.net 3 0 1
spodhuis.org 2 0 1
ssd.axu.tm 2 0 1
sticht.net 3 0 1
strotmann.de 2 1 1
swm.pp.se 3 0 1
swordarmor.fr 3 1 2
sys4.de 3 1 1
t-2.com 3 0 1
t-2.net 3 0 1
t3i.nl 3 0 1
techie.com 3 1 1
tecnico.ulisboa.pt 3 1 1
tecnico.ulisboa.pt 3 1 2
th-k.net 3 0 1
tnetconsulting.net 3 1 1
toke.dk 3 1 1
torproject.org 3 1 1
trashmail.com 3 0 2
trouble.is 3 1 1
tum.de 3 1 1
tuta.io 3 0 1
tutanota.com 3 0 1
u-1.phicoh.com 3 1 1
unitybox.de 3 1 1
unitymedia.de 3 0 1
usa.com 3 1 1
vulnscan.org 2 1 1
web.de 3 1 1
wheres5.com 3 1 2
wizmail.org 2 0 1
wk-serv.de 3 0 1
xs4all.net 3 1 1
xs4all.nl 3 1 1
z0z0.tk 3 1 2

Source code

Starting with openssl-1.1.1.tar.gz, we produce a Centos rpm openssl11-1.1.1-1.el6.src.rpm. This openssl11 version installs in /usr/local, so it does not conflict with the stock Centos version in /usr. This version enables TLSv1.3.

Starting with sendmail.8.16.0.29 snapshot, and adding my DANE patch we produce sendmail-8.16.0-7.el6.src.rpm. That rpm depends on the openssl11 rpm above. The original sendmail snapshot included partial support for DANE-EE (3-1-1) records. This patch updates that with the DANE code in openssl which supports all the DANE types. This rpm is built with -D_FFR_TLSA_DANE2 to use the DANE code from openssl. You can install the patch into a sendmail source tree, and build with -D_FFR_TLSA_DANE to get the original snapshot partial DANE support.

Centos code

These rpms can be built on Centos6, or Centos7 with "rpmbuild --rebuild --define 'dist .el7' ..."
openssl11-1.1.1-1.el6.src.rpm
sendmail-8.16.0-7.el6.src.rpm
sendmail-8.16.0-dane.patch

On Centos, the stock sendmail requires openldap. On Centos6, openldap requires libssl3, but does not require libssl. However, on Centos7, openldap requires both libssl3 and libssl. That leads to a shared library conflict, where sendmail directly requires libssl.so.11, and indirectly via openldap requires libssl.so.10. This sendmail source rpm builds sendmail without ldap to avoid that conflict.

OpenSSL 1.1.1 will try to use TLSv1.3, but it may end up sending a very large SSL client HELLO message if you have a large CACertFile. Check your sendmail.cf settings for

O CACertFile
O CACertPath

CACertFile should only contain a few CA certificates, including the one that signed your ServerCertFile. CACertPath should point to a directory containing the certificates, one per file, of the CAs that you want to trust. If your config looks like

O CACertFile=/etc/pki/tls/certs/ca-bundle.crt
O CACertPath=/etc/pki/tls/certs

you need to split that bundle into separate files, possibly using something like

cd /etc/pki/tls/certs
rm -f root.ca.cert* *.0
csplit -n 4 -k -f root.ca.cert. ca-bundle.crt '/END CERTIFICATE/+1' '{*}'
for fn in root.ca.cert*; do
    [ -s "$fn" ] && ln -s $fn $(openssl x509 -noout -hash < $fn).0
done

and then change the config to something like

O CACertFile=/etc/pki/tls/certs/one-ca-certificate.pem
O CACertPath=/etc/pki/tls/certs

DANE usage in sendmail

First, ensure that your sendmail installation is talking to a trusted validating recursive resolver. One way to achieve this is to run Bind and sendmail on the same machine, and point /etc/resolv.conf to localhost, and of course configure Bind with:

options {
    dnssec-enable yes;
    dnssec-validation auto;
}

Add the following to your /etc/mail/sendmail.mc and rebuild sendmail.cf:

LOCAL_CONFIG
O DANE=always

The DANE option can be one of (true, false, always); the default is false. If DANE=True, sendmail only uses TLSA records that are secured by DNSSEC. If DANE=always, sendmail uses all TLSA records, including those found as a result of insecure MX, CNAME, or TLSA responses.

dig isc.org mx +short
10 mx.pao1.isc.org.
20 mx.ams1.isc.org.

dig _25._tcp.mx.ams1.isc.org. tlsa +short
3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916

Test cases that work

  1. Two MX records, both with usable TLSA records, and both servers advertise starttls. The primary MX server key does not match the TLSA record. Mail will be delivered (verify=TRUSTED) to the secondary MX.
    test1               IN MX   10 test1a
                        IN MX   20 test1b
    test1a              A       69.167.152.113
    test1b              A       38.64.93.21
    _25._tcp.test1a     TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    _25._tcp.test1b     TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  2. One MX record with a usable TLSA record, and the server advertises starttls. The server key does not match the TLSA record. Mail will bounce (403 4.7.0 DANE check failed).
    test2               IN MX   10 test2a
    test2a              A       69.167.152.113
    _25._tcp.test2a     TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  3. Two MX records, both with usable TLSA records, but the primary MX does not advertise starttls. Mail will be delivered (verify=TRUSTED) to the secondary MX.
    test3               IN MX   10 test3a
                        IN MX   20 test3b
    test3a              A       69.167.152.152
    test3b              A       38.64.93.21
    _25._tcp.test3a     TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    _25._tcp.test3b     TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  4. One MX record with a usable TLSA record, but the server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
    test4               IN MX   10 test4a
    test4a              A       69.167.152.152
    _25._tcp.test4a     TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  5. One MX record with an unusable (usage not 2 or 3) TLSA record. The server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
    test5               IN MX   10 test5a
    test5a              A       38.64.93.21
    _25._tcp.test5a     TLSA    1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63
    

  6. One MX record with an unusable (usage not 2 or 3) TLSA record. The server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
    test6               IN MX   10 test6a
    test6a              A       69.167.152.152
    _25._tcp.test6a     TLSA    1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63
    

  7. One MX record with an unusable (selector not 0 or 1) TLSA record. The server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
    test7               IN MX   10 test7a
    test7a              A       38.64.93.21
    _25._tcp.test7a     TLSA    3 2 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  8. One MX record with an unusable (selector not 0 or 1) TLSA record. The server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
    test8               IN MX   10 test8a
    test8a              A       69.167.152.152
    _25._tcp.test8a     TLSA    3 2 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  9. One MX record with an unusable (match > 2) TLSA record. The server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
    test9               IN MX   10 test9a
    test9a              A       38.64.93.21
    _25._tcp.test9a     TLSA    3 0 4 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  10. One MX record with an unusable (match > 2) TLSA record. The server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
    test10              IN MX   10 test10a
    test10a             A       69.167.152.152
    _25._tcp.test10a    TLSA    3 0 4 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  11. One MX record with an unusable (bad digest length) TLSA record. The server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
    test11              IN MX   10 test11a
    test11a             A       38.64.93.21
    _25._tcp.test11a    TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb0
    

  12. One MX record with an unusable (bad digest length) TLSA record. The server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
    test12              IN MX   10 test12a
    test12a             A       69.167.152.152
    _25._tcp.test12a    TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb0
    

  13. Mail domain has a CNAME chain that ends with one MX record with a usable TLSA record, and the server advertises starttls. The server key matches the TLSA record. Mail will be delivered (verify=TRUSTED).
    test13              IN CNAME    test13a
    test13a             IN MX   10  test13aa
    test13aa            A       38.64.93.21
    _25._tcp.test13aa   TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  14. Mail domain has a CNAME chain that ends with one MX record with a usable TLSA record, and the server advertises starttls. The server key does not match the TLSA record. Mail will bounce (403 4.7.0 DANE check failed).
    test14              IN CNAME    test14a
    test14a             IN MX   10  test14aa
    test14aa            A       38.64.93.21
    _25._tcp.test14aa   TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  15. Mail domain has a CNAME chain that ends with one MX record with a usable TLSA record. The MX host has a CNAME chain that ends with an A record (violating standards). The server advertises starttls. The server key matches the TLSA record. Mail will be delivered (verify=TRUSTED).
    test15              IN CNAME    test15a
    test15a             IN MX   10  test15aa
    test15aa            IN CNAME    test15aaa
    test15aaa           IN CNAME    test15aaaa
    test15aaaa          A       38.64.93.21
    _25._tcp.test15aa   TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  16. Mail domain has a CNAME chain that ends with one MX record with a usable TLSA record. The MX host has a CNAME chain that ends with an A record (violating standards). The server advertises starttls. The server key does not match the TLSA record. Mail will bounce (403 4.7.0 DANE check failed).
    test16              IN CNAME    test16a
    test16a             IN MX   10  test16aa
    test16aa            IN CNAME    test16aaa
    test16aaa           IN CNAME    test16aaaa
    test16aaaa          A       38.64.93.21
    _25._tcp.test16aa   TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  17. Mail domain has a CNAME chain that ends with one MX record. The MX host has a CNAME chain that ends with an A record (violating standards). The end of that chain has a usable TLSA record. The server advertises starttls. The server key matches the TLSA record. Mail will be delivered (verify=TRUSTED).
    test17              IN CNAME    test17a
    test17a             IN MX   10  test17aa
    test17aa            IN CNAME    test17aaa
    test17aaa           IN CNAME    test17aaaa
    test17aaaa          A       38.64.93.21
    _25._tcp.test17aaaa TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  18. Mail domain has a CNAME chain that ends with one MX record. The MX host has a CNAME chain that ends with an A record (violating standards). The end of that chain has a usable TLSA record. The server advertises starttls. The server key does not match the TLSA record. Mail will bounce (403 4.7.0 DANE check failed).
    test18              IN CNAME    test18a
    test18a             IN MX   10  test18aa
    test18aa            IN CNAME    test18aaa
    test18aaa           IN CNAME    test18aaaa
    test18aaaa          A       38.64.93.21
    _25._tcp.test18aaaa TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  19. Mail domain has an MX record secured by DNSSEC. The MX host is in an insecure domain with an A record. The query for TLSA records for the MX host gets a timeout. Mail will be delivered (verify=FAIL) unauthenticated to the MX host - we must not attempt delivery to the test19 A record. The query for the TLSA record should be suppressed, since the A record is in an insecure zone. But if the query is not suppressed it will timeout, and that timeout must be ignored.
    test19              IN MX   10  test19a.moretesting
                        A           192.168.200.200
    ; insecure zone moretesting
    test19a.moretesting             A           38.64.93.21
    _25._tcp.test19a.moretesting    IN CNAME    _25._tcp.test19aa.testing
    

  20. Mail domain has an MX records secured by DNSSEC. The MX host has an A record secured by DNSSEC. The query for TLSA records for the MX host gets a timeout. Mail will bounce (403 4.7.0 DANE check failed). We must not fallback and attempt delivery to the test20 A record.
    test20              IN MX   10  test20a
                        A           38.64.93.21
    test20a             A           38.64.93.21
    _25._tcp.test20a    IN CNAME    _25._tcp.test20aa.testing
    

  21. Mail domain has a CNAME chain that ends with one MX record. The MX host has a CNAME chain that ends with an A record (violating standards). Both ends of that chain have usable TLSA records. The TLSA record at the start of the chain does not match the server key, but should be ignored. The TLSA record at the end of the chain matches the server key. The server advertises starttls. Mail will be delivered (verify=TRUSTED).
    test21              IN CNAME    test21a
    test21a             IN MX   10  test21aa
    test21aa            IN CNAME    test21aaa
    test21aaa           IN CNAME    test21aaaa
    test21aaaa          A       38.64.93.21
    _25._tcp.test21aaaa TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    _25._tcp.test21aa   TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  22. Mail domain has a CNAME chain that ends with one MX record. The MX host has a CNAME chain that ends with an A record (violating standards). Both ends of that chain have usable TLSA records. The TLSA record at the start of the chain matches the server key, but should be ignored. The TLSA record at the end of the chain does not match the server key. The server advertises starttls. Mail will bounce (403 4.7.0 DANE check failed).
    test22              IN CNAME    test22a
    test22a             IN MX   10  test22aa
    test22aa            IN CNAME    test22aaa
    test22aaa           IN CNAME    test22aaaa
    test22aaaa          A       38.64.93.21
    _25._tcp.test22aaaa TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    _25._tcp.test22aa   TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  23. Mail domain has a CNAME chain that ends with one MX record. The MX host has a CNAME chain that ends with an A record (violating standards). Both ends of that chain have usable TLSA records. The TLSA record at the start of the chain matches the server key. The TLSA record at the end of the chain does not match the server key, but should be ignored since the CNAME chain wanders thru an insecure zone. The server advertises starttls. Mail will be delivered (verify=TRUSTED).
    test23              IN CNAME    test23a
    test23a             IN MX   10  test23aa
    test23aa            IN CNAME    test23aaa.moretesting   ; -> test23aaa
    test23aaa           IN CNAME    test23aaaa
    test23aaaa          A       38.64.93.21
    _25._tcp.test23aaaa TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    _25._tcp.test23aa   TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

  24. Mail domain has a CNAME chain that ends with one MX record. The MX host has a CNAME chain that ends with an A record (violating standards). Both ends of that chain have usable TLSA records. The TLSA record at the start of the chain does not match the server key. The TLSA record at the end of the chain matches the server key, but should be ignored since the CNAME chain wanders thru an insecure zone. The server advertises starttls. Mail will bounce (403 4.7.0 DANE check failed).
    test24              IN CNAME    test24a
    test24a             IN MX   10  test24aa
    test24aa            IN CNAME    test24aaa.moretesting   ; -> test24aaa
    test24aaa           IN CNAME    test24aaaa
    test24aaaa          A       38.64.93.21
    _25._tcp.test24aaaa TLSA    3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    _25._tcp.test24aa   TLSA    3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
    

Remaining issues