search

bbottema / simple-java-mail

Simple API, Complex Emails (Jakarta Mail smtp wrapper)
http://www.simplejavamail.org
Apache License 2.0
1.22k stars 267 forks source link

DANE validation #255

Closed fwiersENO closed 1 year ago

fwiersENO commented 4 years ago

Hello,

this is a request to review a DANE "email transport security" implementation and maybe add it to simple-java-mail. I (or my company) open-sourced a DANE validation implementation at https://github.com/fwiersENO/java-mail-dane/ The code in that project could be the start for a library that simple-java-mail can use, e.g. as part of the TransportStrategy enum.

The main reason for open-sourcing the java-mail-dane project is to verify the DANE security related code in TrustManagerDane.java. The security related code should be correct (unit tests and such are included in the project) but since it is security related code a second opinion would be beneficial.

Can you, or somebody you know, take a look if you are interested?

bbottema commented 4 years ago

Having read a bit more about DANE, I'm very interested in including this in the library. However, Simple Java Mail is built for the lowest common denominator, meaning it is compiled for Java 7 runtime, whereas your library is made with Java 11.

Also please note I'm not an authority on email security whatsoever. I would just integrate your library and hope it works as intended with some obvious flows tested before releasing (although AWS support for DNSSEC seems limited, which handles my domains). As a single person maintaining Simple Java Mail, I depend on bug reports to mature the library.

Looking at your implementation, it looks like DANE connections are achieved by using a custom SSLSocketFactory, which is already a possibility (through "mail.smtp.ssl.socketFactory" as well as mailerBuilder.withCustomSSLSocketFactory(..)).

How would you propose to make DANE part of the Simple Java Mail api? Until now the TransportStrategy was a completely isolated config setting, but if we were to add say TransportStrategy.DANE, you would have to provide auxiliary config details (DNSSEC dns server).

fwiersENO commented 4 years ago

Thank you for your feedback, good to hear it is of interest.

The project is almost, but not really, a library, I propose you copy/paste/update what you really need.

DNSSEC is indeed a requirement for DANE but also a bit of a hassle. To get around the "auxiliary config details" you can use dnssec-java (https://github.com/ibauersachs/dnssecjava/tree/dnssecjava-1.2.0 ). I have used that library in the past (with success) when only a "normal" DNS server (without DNSSEC capabilities) is available. The 1.2.0 version of dnssec-java is only released in Maven for Java 8 but you can compile the code for Java 7 (see also https://github.com/ibauersachs/dnssecjava/issues/20). When using dnssec-java, make sure the response contains the AD flag (in the readme on the project page shown as response.getHeader().getFlag(Flags.AD))) because that is what makes the response "DNSSEC".

A TransportStrategy.DANE sounds like a good idea, the only "hard part" I can see is that the TrustManagerDane somehow needs to know which DaneRecord to compare to. I am not familiar enough with your project to determine where/when exactly the DANE DNS related functions should be executed. You might be able to maintain a simple (concurrent) map of <email-domain, DaneRecord> and use that in the TrustManagerDane or you might be able to lookup the DaneRecord from within the TrustManagerDane itself.

One note on the bug-reports for maturing the library: when it comes to security related code, this has failed in the past (OpenSSL comes to mind). Some form of warning when using TransportStrategy.DANE should be in place.

bbottema commented 1 year ago

Hi @fwiersENO. It's been a while. As I'm slowly bringing down standing issues, I might be able to look into DANE again to see if it's still interesting. Do you have an update for me? I saw the library merged into another project? Anything I can use from there?

fwiersENO commented 1 year ago

Hello @bbottema, I do remember using the updated "dnsjava" library to accomplish the same as what I did with "dnssecjava"(and I see there is a good example as well at https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md). As for the "java-mail-dane" project, I have not received any updates but also no complaints.

bbottema commented 1 year ago

I had another look at this. The DANE library you referenced in Java 11 and so out of scope for Simple Java Mail, since in 2023, still a third of all Java usage is Java 8 LTS. It will be another few years before Java 8 falls out of use and Simple Java Mail will move to Java 11 (Java 8 is supported until 2030, so we have time).