Conversation

Replying to

I have attestation.app set up to send out the automated alert emails that are part of the service with OpenSMTPD + dkimproxy but I simply haven't had time to do more. Forwarding emails sent to the GrapheneOS domains is a placeholder until there's time to set something up.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.

Replying to

Is it validating DANE when sending them out?

Replying to

It's not currently supported by OpenSMTPD which is the current mail server: github.com/OpenSMTPD/Open I don't know what happened with their work on implementing it. To have DANE verification in the short term I'd need to use a different mail server, which isn't very appealing.

github.com

DANE: implement DANE ... · Issue #409 · OpenSMTPD/OpenSMTPD

We have to do it and our main competitor has it already ;-)

Replying to

Uhg, looks like it's been pending since 2014:

github.com

DANE: implement DANE ... · Issue #409 · OpenSMTPD/OpenSMTPD

We have to do it and our main competitor has it already ;-)

Replying to

I ended up migrating to Postfix to get DANE verification for my outbound mail along with the potential to start checking MTA-STS policies via github.com/Snawoot/postfi if I decide to integrate that. Also switched to OpenDKIM from dkimproxy and added in spf-engine to verify SPF.

github.com

GitHub - Snawoot/postfix-mta-sts-resolver: Daemon which provides TLS client policy for Postfix via...

Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy - GitHub - Snawoot/postfix-mta-sts-resolver: Daemon which provides TLS client policy for Postfi...

Replying to

Nice. Want to test acceptance and rejection sending to me?

Replying to

I used havedane.net as a basic test and it passed that with sensible output in the logs. It would make sense to test it a bit more though.

Replying to

and

I wish I could use ssllabs.com/ssltest/ with IMAP and SMTP. I used ssl-config.mozilla.org to deal with generating the baseline. I added `tls_ssl_options = NO_RENEGOTIATION` to that in addition to `smtp_dns_support_level = dnssec` and `smtp_tls_security_level = dane`.

Replying to

and

en.internet.nl is useful, although they still recommend server cipher order. Mozilla stopped recommending that for the Modern/Intermediate configurations since all the ciphers are strong with forward secrecy. Might as well let the client use whatever is fastest for them.

Replying to

Yeah I was kinda confused by their cipher warnings. OTOH I like that they're the only site that didn't say either "you're perfect" or "you're insecure because MTA-STS is required to be secure".

Daniel Micay

@DanielMicay

Replying to

@RichFelker

At the moment I still set server cipher order so that test suites like this will pass. Mozilla used to recommend that, but they stopped doing it. en.internet.nl is based around guidelines from the Netherlands government which encourage stronger than 128-bit security.

6:11 PM · Apr 6, 2020Twitter Web App

Replying to

and

They want to force using the strongest available ciphers while Mozilla just wants 128-bit security or better with forward secrecy. Using the Mozilla configuration and changing server cipher to `on` will pass all the test suites like this following EU guidelines with no real loss.

Replying to

and

TLSv1.3 is a lot saner. It only has ECDHE (no DHE parameter gotchas) and OpenSSL only implements the 5 standard ciphers which all have at least 128-bit security and forward secrecy. Gets rid of all the obscure curves too. That's why the Modern configuration has no cipher config.

Show replies