Nice data: stats.dnssec-tools.org Nearly 2M domains with DNSSEC and MX pointing to host with DANE records. But under 5500 actual MX's with DANE records. IOW almost everyone's mail is outsourced to big providers...
Conversation
Replying to
I have attestation.app set up to send out the automated alert emails that are part of the service with OpenSMTPD + dkimproxy but I simply haven't had time to do more. Forwarding emails sent to the GrapheneOS domains is a placeholder until there's time to set something up.
2
Replying to
It's not currently supported by OpenSMTPD which is the current mail server:
github.com/OpenSMTPD/Open
I don't know what happened with their work on implementing it. To have DANE verification in the short term I'd need to use a different mail server, which isn't very appealing.
2
If I run the mail server on another server to share it across attestation.app and grapheneos.org, AttestationServer would have a remote connection via SMTPS:
github.com/GrapheneOS/Att
I'd probably need to deal with TLS at a lower level to pin a certificate there.
2
Replying to
What SMTPS even means is fuzzy, but AIUI it's just a convention for mail submission and has nothing to do with transport.
1
Replying to
I'm talking about the connection AttestationServer makes to the mail server to send the alert emails. The mail server is currently on the same server so it's an SMTP connection over localhost. I had support for a remote mail server via TLS but I only used that for early testing.
2
Replying to
The important part is whether that mail server uses a secure connection to pass the message on to the recipient, not the connection to localhost to submit the mail.
1
Replying to
Yeah, I'm just saying that if I split out the mail server to another server in order to start using it for receiving mails and handling other domains, I'd need to start using the AttestationServer support for SMTPS and I'd want to extend that with support for pinning the cert.