Skip to first unread message
Cprogrammer
May 31, 2018, 8:51:32 AM5/31/18
to indimail
DATE: Thu May 31 17:38:03 IST 2018
Announcing Release 2.5 of indimail-mta. This release comes with DANE validation feature in qmail-remote. It also includes a DANE validation daemon qmail-daned. Clients desiring DANE validation can simply connect to port 1998 and delegate DANE verification for a host.
DANE verification can be turned on in qmail-remote by setting the DANE_VERIFICATION environment variable. If this variable is of the form host@port, qmail-remote will delegate DANE verification to qmail-daned. This approach may be faster (because of caching), but the downside is that qmail-daned ignores DNS record ttl at the moment. This release comes with a DANE tester - dnstlsarr. Few example usages are given below
Example 1
$ dnstlsarr postino.cesnet.cz
terenasslca3ta.cesnet.cz ttl=3282 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=3282 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
Example 2
$ dnstlsarr -v 2 -s mail.ietf.org
checking mail.ietf.org
TLSARR[0]:_25._tcp.mail.ietf.org IN TLSA ( 3 1 1 0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6 )
220 ietfa.amsl.com ESMTP
Client: EHLO argos
250-PIPELINING
250-SIZE 67108864
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250 8BITMIME
Client: STARTTLS
220 2.0.0 Ready to start TLS
matched sha256 fingerprint [0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6] of subjectPublicKeyInfo
Client: QUIT
221 2.0.0 Bye
Example 3 - querying the MX record to get the TLSA RR
$ dnstlsarr -v 2 -s postino.cesnet.cz
checking postino.cesnet.cz
TLSARR[0]:terenasslca3ta.cesnet.cz IN TLSA ( 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25 )
TLSARR[1]:terenasslca3ta.cesnet.cz IN TLSA ( 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8 )
220 postino.cesnet.cz ESMTP
Client: EHLO argos
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Client: STARTTLS
220 2.0.0 Ready to start TLS
failed sha256 fingerprint [be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25] of full certificate
matched sha256 fingerprint [beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8] of full certificate
Client: QUIT
221 2.0.0 Bye
Example 4 - getting TLSA RR by giving the domain name
$ dnstlsarr -m cesnet.cz
MX postino.cesnet.cz IPv6 2001:718:1:101::144:24210
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX postino.cesnet.cz IPv4 195.113.144.24210
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX cartero.cesnet.cz IPv6 2001:718:ff05:202::1650
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX cartero.cesnet.cz IPv4 78.128.216.1650
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX mail.cesnet.cz IPv4 195.113.144.234100
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
The current implementation does not use DNSSEC. At the moment, I still have not figured out how to do DNSSEC. So this feature could come in future release. Also the code is largely untested. Use it at your own risk.
The build will be ready next week on openSUSE build service.
Following are the main features of this release
o DANE validation added to qmail-remote
o new dns_tlsarr() function in dns.c
o dnstlsarr utility to fetch TLSA Resource Records and perform DANE validations
indimail-mta has RPM / DEB / yum / apt repository for most of the
Linux Distros at
Install Instructions
Currently, the list of supported distributions for indimail-mta is
* SUSE
o openSUSE_Leap_15
o openSUSE_Leap_42.3
o openSUSE_Leap_42.2
o openSUSE 13.2
o SUSE Linux Enterprise 12
o SUSE Linux Enterprise 15
* Red Hat
o Fedora 28
o Fedora 27
o Red Hat Enterprise Linux 7
o Red Hat Enterprise Linux 6
o CentOS 7
o CentOS 6
* Debian
o Debian 9.0
o Debian 8.0
o Ubuntu 18.04
o Ubuntu 17.04
o Ubuntu 16.10
o Ubuntu 16.04
o Ubuntu 14.04
o Ubuntu 12.04
ChangeLog
=========
o qmail-multi.c - fixed qscanq path to sbin
o fixed do_scan() for badattachment check
o qmail-remote.c, smtpd.c disable SSLv2, SSLv3 to fix POODLE vulnerability
o remove hardcoded servicedir in spec file
o dnsmxip - print host along with ip
o added foxhole_all.cdb for banned extensions in clamav
o svctool option --config=foxhole for creating foxhole_all.cdb
o BUG - do_scan.c - break out of loop if file extension matches a line in badext
o qmail-remote, qmail-daned - added dane verification code using getdns
o substdo.c - added subsdio_discard() function to discard unflushed data
o dns.c - added dns_tlsarr() function to query TLSA records
o qmail-remote.c - added inbuilt DANE verification function using dns_tlsarr() function
o qmail-remote.c - added DANE verification function via qmail-daned
o qmail-remote.c - added tlsadomains control file check
o qmail-daned.c - removed DANE verification via external DANEPROG script
o qmail-daned.c - use dns_tlsarr() function.
o tlsacheck.c - modified for qmail-remote query/update
o qdane.c - modified for qmail-remote query/update
o postinstall - create DANE verification service only if TLSA code is compiled
o removed calls to gethostbyname - tcpopen.c, udpopen.c, qmail-daned.c, qmail-greyd.c, udplogger.c, tablematch.c
o added qmail-daned service to refresh list
o dnstlsarr program - cmd line DANE validation tool
Reply all
Reply to author
Forward
0 new messages