Conversation

Nice data: stats.dnssec-tools.org Nearly 2M domains with DNSSEC and MX pointing to host with DANE records. But under 5500 actual MX's with DANE records. IOW almost everyone's mail is outsourced to big providers...

Replying to

I have attestation.app set up to send out the automated alert emails that are part of the service with OpenSMTPD + dkimproxy but I simply haven't had time to do more. Forwarding emails sent to the GrapheneOS domains is a placeholder until there's time to set something up.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.

Replying to

Is it validating DANE when sending them out?

Replying to

It's not currently supported by OpenSMTPD which is the current mail server: github.com/OpenSMTPD/Open I don't know what happened with their work on implementing it. To have DANE verification in the short term I'd need to use a different mail server, which isn't very appealing.

github.com

DANE: implement DANE ... · Issue #409 · OpenSMTPD/OpenSMTPD

We have to do it and our main competitor has it already ;-)

Replying to

and

If I run the mail server on another server to share it across attestation.app and grapheneos.org, AttestationServer would have a remote connection via SMTPS: github.com/GrapheneOS/Att I'd probably need to deal with TLS at a lower level to pin a certificate there.

github.com

AttestationServer/AlertDispatcher.java at main · GrapheneOS/AttestationServer

Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email ...

Replying to

What SMTPS even means is fuzzy, but AIUI it's just a convention for mail submission and has nothing to do with transport.

Replying to

I'm talking about the connection AttestationServer makes to the mail server to send the alert emails. The mail server is currently on the same server so it's an SMTP connection over localhost. I had support for a remote mail server via TLS but I only used that for early testing.

Replying to

and

AttestationServer delegates the complexity of sending emails properly to an external mail server. It's nice to have it decoupled from setting up DKIM, etc. It could send email more directly but I need a mail server for sending non-automated email from these domains anyway.

3:56 AM · Mar 29, 2020Twitter Web App

Replying to

This is basically exactly what mxclient is for.

Replying to

Yeah, it fills the current use case I have for AttestationServer. I'm just unsure how I should approach this as a whole. If I set up an email server for sending / receiving mail for the GrapheneOS domains, it would make sense for attestation.app to use that instead.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.

Show replies