Skip to first unread message
Cprogrammer
Apr 26, 2018, 5:59:52 AM4/26/18
to indimail
Release 2.4 of indimail-mta comes with an implementaton of DANE. It consists of
- qmail-dane which runs as a daemon on port 1998
- helper program for qmail-dane /usr/libexec/indimail/daneprog. danprog uses danetools from gnutls-utils package to query the TLSA records for a domain.
- library function tlsacheck()
- daneq - command line utility to query the qmail-dane daemon for TLSA verification. daneq uses the tlsacheck() function and can be used as an example for programmers to have their own DANE implementation.
- man pages for qmail-dane, daneq, tlsacheck().
The implementation is not fully complete because of the following 2 reasons
- I have to call tlsacheck() function in qmail-remote
- Have to include option in svctool to create a supervised service for qmail-dane
The way this DANE implementation works is like this
- qmail-dane binds on UPD port 1998 and expects a packet of the form 'Ddomain_name\0' where domain_name is the name of a domain whose TLSA RR are to be verified
- If the domain is in a whitelest file, the daemon responds back with success
- If the file /etc/indimail/control/tlsadomains exists, then only domains listed in this file will undergo TLSA RR verification
- qmail-dane then calls the program /usr/libexec/indimail/daneprog passing the domain name as argument
- daneprog uses danetool binary to do the actual verification and indicates this by proper return code
- qmail-dane then stores the result in in-memory hash table. Next time, a query for the same domain is received, qmail-dane will not again query the DNS for the TLSA RR. This records are maintained in-memory until a timeout (specified as a command line argument to qmail-dane) is reached
I also have to attempt to write a 'C' version of the helper program - daneprog. This will be done by looking at the source code of danetool program from gnutls-utils package. Any help here will be appreciated.
DATE: Thu Apr 26 14:40:06 IST 2018
Announcing Release 2.4 of indimail-mta
Following are the main features of this release
o svctool option to refresh services. This ensures lates variables
get created
o moved multiple system binaries to sbin
o svctool - use SHA-512 encryption for indisrvr admin password
o svctool - moved enabling/disabling of services to separate functions
--enable-service, --disable-service
o svctool - added --ssl, --require-secure-transport command line option
for mysqld
o svctool - create SSL/TLS config for MariaDB like mysql_ssl_rsa_setup
utility for mysql-community-server
o BUG - str_cpyb.c - fixed extra bytes getting copied
o Fixed Bug with VIRTUAL_PKG_LIB env variable
o qmail-dane(8), daneq(1), tlsacheck(3) - DANE implementation for
indimail-mta
indimail-mta has RPM / DEB / yum / apt repository for most of the
Linux Distros at
Install Instructions
Currently, the list of supported distributions for indimail-mta is
* SUSE
o openSUSE_Leap_42.3
o openSUSE_Leap_42.2
o openSUSE 13.2
o openSUSE 13.1
o SUSE Linux Enterprise 12 SP2
o SUSE Linux Enterprise 12 SP1
o SUSE Linux Enterprise 12
* Red Hat
o Fedora 27
o Fedora 26
o Red Hat Enterprise Linux 7
o Red Hat Enterprise Linux 6
o CentOS 7
o CentOS 6
* Debian
o Debian 8.0
o Debian 7.0
o Ubuntu 17.04
o Ubuntu 16.10
o Ubuntu 16.04
o Ubuntu 14.04
o Ubuntu 12.04
The source can be downloaded at
Reply all
Reply to author
Forward
0 new messages