Check for RFC8460, SMTP-TLS reporting (TLS-RPT)

[mdavids]

Aangezien er gecheckt wordt op STARTTLS / DANE, vroeg ik me af of we niet ook een check moeten toevoegen op het bestaan van SMTP-TLS reporting (https://www.rfc-editor.org/rfc/rfc8460.html)?

We zouden daar een 'informational' van kunnen maken.

Voorbeeld:

dig TXT _smtp._tls.sidn.nl

[WKobes]

Related/partial duplicate: https://github.com/internetstandards/Internet.nl/issues/458

[baknu]

Further ideas on this (from a discussion between SR and BK):

• Subtest for TLS-RPT should be part of email test (https://en.internet.nl/test-mail/).
• Probably create separate (fourth) category "Reporting" under "Secure mail server connection (STARTTLS and DANE)".
• Subtest should check for (1) presence and (2) validity of a TLS-RPT DNS record of a tested domain.
• Working of TLS-RPT subtest should be similar to existing subtests for DMARC and SPF.
• Failing will result in either an "informational" ℹ️ or a "warning" ⚠️ (to be decided). But not a "bad" ❌ as we currently do not have plans to let this subtest weigh into the score.
• Preferably a proven Python parser/validator is used for the machinery of the subtest. This was also done for the security.txt subtest that makes use of https://github.com/DigitalTrustCenter/sectxt.
• Content (test verdict, technical details, test explanation) should be available in English and Dutch.
• The subtest for TLS-RPT should also be included in the API of the batch version of Internet.nl (http://redocly.github.io/redoc/?url=https://batch.internet.nl/api/batch/openapi.yaml).
• Practice what you preach: Internet.nl itself should probably also publish a TLS-RPT record. See also: https://github.com/internetstandards/Internet.nl/issues/957

[patrickbenkoetter]

Further ideas on this (from a discussion between SR and BK):

* Subtest for TLS-RPT should be part of email test (https://en.internet.nl/test-mail/).

* Probably create separate (fourth) category "Reporting" under "Secure mail server connection (STARTTLS and DANE)".

* Subtest should check for (1) presence and (2) validity of a TLS-RPT DNS record of a tested domain.

* Working of TLS-RPT subtest should be similar to existing subtests for DMARC and SPF.

* Failing will result in either an "informational" ℹ️ or a "warning" ⚠️ (to be decided). But not a "bad" ❌ as we currently do not have plans to let this subtest weigh into the score.

* Preferably a proven Python parser/validator is used for the machinery of the subtest. This was also done for the security.txt subtest that makes use of https://github.com/DigitalTrustCenter/sectxt.

* Content (test verdict, technical details, test explanation) should be available in English and Dutch.

* The subtest for TLS-RPT should also be included in the API of the batch version of Internet.nl (http://redocly.github.io/redoc/?url=https://batch.internet.nl/api/batch/openapi.yaml).

* Practice what you preach: Internet.nl itself should probably also publish a TLS-RPT record. See also: [Set up functional mailbox on @internet.nl for reporting used by several standards #957](https://github.com/internetstandards/Internet.nl/issues/957)

@baknu We're all in for your suggestions but we might need some help on the Dutch content once we will have the English done. Mind to help us with that?

[baknu]

@baknu We're all in for your suggestions but we might need some help on the Dutch content once we will have the English done. Mind to help us with that?

Sure, we can help with that.

[uwekamper]

There is now a PR here: https://github.com/internetstandards/Internet.nl/pull/1300