search

YunoHost / issues

General issue tracker for the YunoHost project
71 stars 8 forks source link

Enforce SMTP transport encryption with DNS-based Authentication of Named Entities #2303

Open renne opened 7 months ago

renne commented 7 months ago

Yunohost uses StartTLS to hand-shake TLS encryptions, which is prone to downgrade attacks. DANE-SMTP was developed to prevent these downgrade attacks. In DANE-SMTP the SMTP server announces the DANE requirement via a TLSA record in the DNS zone. If a SMTP client supports DANE-SMTP it will only connect if the SSL certificate of the SMTP server matches the TLSA record and TLS encryption is enforced.

Please enable DANE-SMTP in Yunohost.

renne commented 7 months ago

Outgoing SMTP with DANE: Add file /etc/dnsmasq.d/dnssec to enable DNSSEC validation:

conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec

Changes in /etc/postfix/main.cf:

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
ericgaspar commented 7 months ago

why ping @tituspijean?

renne commented 7 months ago

Dumb idea ;-)

renne commented 7 months ago

Incoming SMTP with DANE:

  1. Enable DNSSEC at your domain registrar.
  2. Install debian package ldnsutils
  3. When the certificate changes replace the TLSA record for the DNS zone: ldns-dane create -c /etc/yunohost/certs/<domain>/crt.pem <domain> 443
  4. Create a CNAME record for each open SSL-Port following the scheme _<port>._<tcp|udp> 3600 IN CNAME _443._tcp.<domain>.
tituspijean commented 7 months ago

Dumb idea ;-)

Most likely, though I am curious about your thought process.

It is required in Germany

No. These are guidelines. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/technische-richtlinien_node.html

As it is state of the art it is also required by the General Data Protection Regulation of the European Union.

Is there a reliable source about that, or are you namedropping the GDPR here?

Please stay technical and do not try to "impress" contributors. It does not work. If I am wrong, do correct me. If I am right, please edit your first message and we will cleanup this thread.

renne commented 7 months ago

Dumb idea ;-)

Most likely, though I am curious about your thought process.

Probably just the habit of addressing people in forums. And this is not a forum

It is required in Germany

No. These are guidelines. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/technische-richtlinien_node.html

As it is state of the art it is also required by the General Data Protection Regulation of the European Union.

Is there a reliable source about that, or are you namedropping the GDPR here?

Please stay technical and do not try to "impress" contributors. It does not work. If I am wrong, do correct me. If I am right, please edit your first message and we will cleanup this thread.

To avoid a lengthy legal discussion about articles 25 and 32 of the GPDR I have removed the legal reason for this issue.