Nice data: stats.dnssec-tools.org Nearly 2M domains with DNSSEC and MX pointing to host with DANE records. But under 5500 actual MX's with DANE records. IOW almost everyone's mail is outsourced to big providers...
Conversation
Replying to
I have attestation.app set up to send out the automated alert emails that are part of the service with OpenSMTPD + dkimproxy but I simply haven't had time to do more. Forwarding emails sent to the GrapheneOS domains is a placeholder until there's time to set something up.
2
Replying to
It's not currently supported by OpenSMTPD which is the current mail server:
github.com/OpenSMTPD/Open
I don't know what happened with their work on implementing it. To have DANE verification in the short term I'd need to use a different mail server, which isn't very appealing.
2
Replying to
Uhg, looks like it's been pending since 2014:
1
Replying to
I ended up migrating to Postfix to get DANE verification for my outbound mail along with the potential to start checking MTA-STS policies via github.com/Snawoot/postfi if I decide to integrate that. Also switched to OpenDKIM from dkimproxy and added in spf-engine to verify SPF.
1
2
Replying to
I used havedane.net as a basic test and it passed that with sensible output in the logs. It would make sense to test it a bit more though.
I wish I could use ssllabs.com/ssltest/ with IMAP and SMTP. I used ssl-config.mozilla.org to deal with generating the baseline. I added `tls_ssl_options = NO_RENEGOTIATION` to that in addition to `smtp_dns_support_level = dnssec` and `smtp_tls_security_level = dane`.
1
1
en.internet.nl is useful, although they still recommend server cipher order. Mozilla stopped recommending that for the Modern/Intermediate configurations since all the ciphers are strong with forward secrecy. Might as well let the client use whatever is fastest for them.
1
1
Show replies
Replying to
I'll check it out. I couldn't find any tests for outgoing that are expected to fail so I made my own.