search

virtualmin / virtualmin-gpl

Virtualmin web hosting control panel for Webmin
https://www.virtualmin.com
GNU General Public License v3.0
308 stars 95 forks source link

Virtualmin is missing DANE rollover scheme DNS records. #116

Open chris001 opened 4 years ago

chris001 commented 4 years ago

From internet.nl checker: https://en.internet.nl/mail/virtualmin.com/273526/#control-panel-26 (This test failure needs fixed on all virtualmin servers, not just on https://virtualmin.com )

DANE rollover scheme

Verdict: At least one of your mail server domains does not have an active DANE scheme for a reliable rollover of certificate keys.

Test explanation: We check if there is an active DANE scheme to reliably handle certificate rollovers on your mailserver(s). Such a scheme will be proven useful when there is a need to update your mail server certificate(s). It can prevent that DANE becomes invalid during the transition period which could endanger mail deliverability at your domain. A rollover scheme is not expected to be 'active' all the time.

Below you will find two possible DANE rollover procedures (source: slides by Viktor Dukhovni https://static.ptbl.co/static/attachments/169319/1520904692.pdf ). In each procedure, two DANE TLSA records need to be present which is checked by this subtest.

Requirement level: Optional
I highly recommend that we generate these two DNS records, because of the huge need to protect information security, and continuous mail delivery, on Virtualmin servers...

DANE rollover procedures:

1. Current + Next Generate next key when deploying current key and cert. Deploy new chain, and publish new TLSA records: _25._tcp.mx.example.com. IN TLSA 3 1 1 curr-pubkey-sha256 _25._tcp.mx.example.com. IN TLSA 3 1 1 next-pubkey-sha256 Weeks later, obtain certificate for pre-generated next key. But first, make sure TLSA record is already in place. Repeat!

2. Current + Issuer CA Publish TLSA RRs for server key & issuer CA key: _25._tcp.mx.example.com. IN TLSA 3 1 1 ee-pubkey-sha256 _25._tcp.mx.example.com. IN TLSA 2 1 1 ta-pubkey-sha256 Deploy certificates from same CA, if EE key changes: Promptly update 3 1 1 hash to match new EE key. If CA key changes, keep same EE key. Obtain cert from new CA. Promptly update 2 1 1 hash to match new CA key.

jcameron commented 4 years ago

Thanks, I didn't even know about DANE rollover!