Open renne opened 7 months ago
Outgoing SMTP with DANE:
Add file /etc/dnsmasq.d/dnssec
to enable DNSSEC validation:
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
Changes in /etc/postfix/main.cf
:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
why ping @tituspijean?
Dumb idea ;-)
Incoming SMTP with DANE:
ldnsutils
ldns-dane create -c /etc/yunohost/certs/<domain>/crt.pem <domain> 443
_<port>._<tcp|udp> 3600 IN CNAME _443._tcp.<domain>.
Dumb idea ;-)
Most likely, though I am curious about your thought process.
It is required in Germany
No. These are guidelines. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/technische-richtlinien_node.html
As it is state of the art it is also required by the General Data Protection Regulation of the European Union.
Is there a reliable source about that, or are you namedropping the GDPR here?
Please stay technical and do not try to "impress" contributors. It does not work. If I am wrong, do correct me. If I am right, please edit your first message and we will cleanup this thread.
Dumb idea ;-)
Most likely, though I am curious about your thought process.
Probably just the habit of addressing people in forums. And this is not a forum
It is required in Germany
No. These are guidelines. https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/technische-richtlinien_node.html
As it is state of the art it is also required by the General Data Protection Regulation of the European Union.
Is there a reliable source about that, or are you namedropping the GDPR here?
Please stay technical and do not try to "impress" contributors. It does not work. If I am wrong, do correct me. If I am right, please edit your first message and we will cleanup this thread.
To avoid a lengthy legal discussion about articles 25 and 32 of the GPDR I have removed the legal reason for this issue.
Yunohost uses StartTLS to hand-shake TLS encryptions, which is prone to downgrade attacks. DANE-SMTP was developed to prevent these downgrade attacks. In DANE-SMTP the SMTP server announces the DANE requirement via a TLSA record in the DNS zone. If a SMTP client supports DANE-SMTP it will only connect if the SSL certificate of the SMTP server matches the TLSA record and TLS encryption is enforced.
Please enable DANE-SMTP in Yunohost.