Securing Security with DANE @ SWITCH (Lausanne)

1 Agenda and Slides

1.1 PDF versions of the slides

1.2 DANE workshop agenda

1.2.1 Day 1

Securing Security - the need for a policy channel
Optional Recap: DNSSEC
Recap: Use of TLS in Mail-Protocols (SMTP)
Hands-On: Postfix with TLS-Security
DANE: Anatomy of the TLSA-Record
Hands-On: Outgoing DANE

1.2.2 Day 2

Hands-On: Incoming DANE security - creating a TLSA-Record
Certificate Rollover and TLSA-Records
Automating TLSA-Record-Rollover
DANE and MTA-STS
Monitoring TLSA-Records and Certificates
TLS-Reporting for Mail

2 General Information

This instructions and the slides can be found online at https://switch-lausanne.dane.onl (the slides will be published as PDF files at the end of the training).
Please replace the placeholder characters NN in the instructions with your participant number. You can find your participant number in the table on this page
We have prepared two Linux virtual machines in the Internet (one primary authoritative DNS server and one mail server). These machines have a Debian 12 OS installed. You can reach these machines via secure shell (SSH) or via Web-Browser (Cockpit Terminal).

3 Securing Security

Securing Security with DANE

4 DNSSEC 1x1

DNSSEC 1x1

5 Hands-On: Postfix with TLS-Security

5.1 Preparing the mail server

Login to the mail-server machine mail.zNN.dane.onl
Install the Postfix MTA
- MTA for Internet Site
- System Mail Name: mail.zNN.dane.onl
```
   % apt install postfix
```
Configure a log file for Postfix (as Debian 12 does not come with a syslog service preinstalled)
```
% postconf maillog_file=/var/log/mail.log
```

Configure the correct mailhost parameters

% postconf -e 'myhostname = mail.zNN.dane.onl'
% postconf -e 'mydestination = $myhostname, zNN.dane.onl, localhost'

Enable Postfix TLS logging

% postconf -e 'smtp_tls_loglevel = 1'
% postconf -e 'smtp_tls_security_level = may'
% postconf -e 'smtpd_tls_security_level = may'
% postconf -e 'smtpd_tls_loglevel = 1'
% postconf -e 'smtpd_tls_received_header = yes'
% postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
% postfix reload

On Debian systems, Postfix is automatically pre-configured with an self-signed x509 certificate (/etc/ssl/certs/ssl-cert-snakeoil.pem)
Check the TLS configuration of your mail-server (enter the domain zNN.dane.onl) with the online service https://www.checktls.com/TestReceiver.

Log-entries from the checktls tests

Oct 16 08:35:08 mail postfix/smtpd[44760]: connect from www12-azure.checktls.com[40.76.159.115]
Oct 16 08:35:08 mail postfix/smtpd[44760]: Anonymous TLS connection established from www12-azure.checktls.com[40.76.159.115]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Oct 16 08:35:08 mail postfix/smtpd[44760]: disconnect from www12-azure.checktls.com[40.76.159.115] ehlo=2 starttls=1 mail=1 quit=1 commands=5

We now use the s_client sub-command from OpenSSL to connect to our local Postfix SMTP server and check that the connection is TLS secured (encrypted, but not authenticated)

# openssl s_client -connect mail.zNN.dane.onl:25 -starttls smtp
[...]
---
250 SMTPUTF8
quit
221 2.0.0 Bye
closed

The logfile /var/log/mail.log will contain information about an anonymous TLS connection:

% tail /var/log/mail.log
Oct 16 08:45:05 mail postfix/smtpd[44892]: connect from unknown[46.101.120.241]
Oct 16 08:45:05 mail postfix/smtpd[44892]: Anonymous TLS connection established from unknown[46.101.120.241]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Oct 16 08:45:14 mail postfix/smtpd[44892]: disconnect from unknown[46.101.120.241] ehlo=1 starttls=1 quit=1 commands=3

Now we test sending an email towards one of the other participants. Use the number of the other participant instead of YY in the instructions below (see table of participants and server numbers above). You can send multiple mails to different participants. Check your log files whether you've received mails from other participants.

% openssl s_client -connect 127.0.0.1:25 -starttls smtp
[..]
ehlo zNN.dane.onl
250-mail.zNN.dane.onl
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: user@zNN.dane.onl
250 2.1.0 Ok
rcpt to: user@zYY.dane.onl
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Hello User,

this is a test mail without DANE security.
.
250 2.0.0 Ok: queued as 7E346659A7
quit
221 2.0.0 Bye
closed

The postfix log-file should now show that a mail has been send from your mail server towards the mail-server of the other participant

% tail /var/log/mail.log

Install the mail-test tool swaks (Swiss Army Knife for SMTP https://jetmore.org/john/code/swaks/)

% apt install swaks

Send mail to an mail account where the mail-server has an x509 certificate that is trusted by the Debian Linux OS, here we use the postmaster@dane.onl mail address

% swaks --server localhost --tls \
   --to postmaster@dane.onl --from user@zNN.dane.onl

We should see a Trusted TLS connection (not an anonymous TLS connection) in the Postfix log files (on the outgoing mail - the mail will "bounce" back as the mailbox for "postmaster" is not configured on the mail domain dane.onl. That is OK for this lab setup.)

 % tail -f /var/log/mail.log
 Oct 19 08:52:09 mail postfix/smtp[49103]: Trusted TLS connection established to mail.dane.onl[46.38.233.133]:25:
                                           TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
                                           key-exchange ECDHE (prime256v1)
                                           server-signature RSA-PSS (2048 bits)

6 DANE

DANE (DNSSEC and TLS)

7 Postfix Mailserver and TLS

Postfix Mailserver, TLS and DANE

8 Hands-On: Outgoing DANE

8.1 DNSSEC validation

Work on the mail-server (mail.zNN.dane.onl)
Install the unbound DNS resolver and the BIND 9 DNS query tools
```
% apt install unbound dnsutils
```
Check that the resolver does DNSSEC validation (watch for the AD-Flag in the header of the DNS response)
```
% dig @localhost dane.onl +dnssec +multi
```
Change the resolver configuration of the Linux OS in /etc/resolv.conf
```
nameserver 127.0.0.1
```

8.2 Enable outgoing DANE in Postfix

Configure Postfix to check DANE on outgoing mail

% postconf -e "smtp_tls_security_level = dane"
% postconf -e "smtp_dns_support_level = dnssec"
% postfix reload
% postfix status

Send mail to an mail account on an DANE secured mail recipient, here we use the postmaster@dane.onl mail address

% swaks --server localhost --tls --to cs@sys4.de --from user@zXX.dane.onl

Example log entries. We should now see a Verified TLS connection instead of an Trusted TLS connection:

Oct 19 13:27:52 mail postfix/smtp[53040]: Verified TLS connection established to mail.sys4.de[194.126.158.132]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 19 13:27:54 mail postfix/smtp[53040]: 23BF941732: to=<cs@sys4.de>, relay=mail.sys4.de[194.126.158.132]:25, delay=38, delays=0.02/0.12/37/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4SB7nP3dybzywj)
Oct 19 13:27:54 mail postfix/qmgr[53028]: 23BF941732: removed

9 Hands-On: Incoming DANE

9.1 Preparing DNSSEC

Login to the DNS server machine dns.zNN.dane.onl, become the root user
Open the BIND 9 configuration file /etc/bind/named.conf in an text editor (vim, emacs, mg etc). This configuration already contains a DNS zone without DNSSEC security
```
zone "zNN.dane.onl" {
     file "zonefile.db";
     type primary;
};
```

Change the configuration of the zone zNN.dane.onl to enable DNSSEC signing with the BIND 9 DNSSEC default policy

zone "zNN.dane.onl" {
     file "zonefile.db";
     type primary;
     dnssec-policy default;
     inline-signing yes;
};

Save the configuration file and check the configuration with
named-checkconf -z

Fix the configuration if an error is reported.
Reload the BIND 9 configuration and sign the zone
```
% rndc reconfig
% rndc sign zNN.dane.onl
```
Verify that the zone has been properly signed (DNSKEY records and RRSIG signature record should be shown)
```
% dig @localhost zNN.dane.onl dnskey +dnssec +multi
```
In our lab environment, the operator of the parent zone will detect the DNSKEY records and will create a matching DS record in the parent zone dane.onl to close the DNSSEC chain of trust

9.2 Enabling incoming DANE with TLSA-Record

Work on the mail-server machine (mail.zNN.dane.onl)

Install tool(s) to create TLSA-Record. There are multiple tools and websites that can be used to generate a TLSA-Record from an x509 certificate:

GnuTLS danetool command:

     % apt install gnutls-bin
     % danetool --starttls-proto=smtp --local-dns --tlsa-rr \
       --host=mail.zNN.dane.onl --load-pubkey=/etc/ssl/certs/ssl-cert-snakeoil.pem

LDNS ldns-dane command:

     % apt install ldnsutils
     % ldns-dane -c /etc/ssl/certs/ssl-cert-snakeoil.pem -n \
        create mail.zNN.dane.onl 25 3 1 1

SSL-Tools Website: https://ssl-tools.net/tlsa-generator
Shumon Huque's Website: https://www.huque.com/bin/gen_tlsa

Work on the authoritive DNS server dns.zNN.dane.onl. Add the generated TLSA-Record with a TTL of 60 seconds into the zonefile /etc/bind/zonefile.db, increment the SOA serial number, save and check the zone for errors with named-checkconf -z. Reload the zone and make sure the new TLSA-Record can be resolved from the mail server.
```
   % named-checkconf -z
   % rndc reload zNN.dane.onl
```
Check for TLSA-Record against external resolver, make sure you see the AD-Flag in the response that indicates successful DNSSEC validation
```
   % dig _25._tcp.mail.zNN.dane.onl TLSA +dnssec +multi @9.9.9.9
```
- Check the domain with an external test websites:
  - DANE checker: https://dane.sys4.de
  - Internet.NL: https://internet.nl

10 DANE TLSA Monitoring

TLSA Record Monitoring

11 TLSA Record Rollover

TLSA Record Rollover

12 Hands-On: Certificate rollover

There is a Let's encrypt certificate for the mail server already available at /root/.acme.sh/mail.zNN.dane.onl_ecc/fullchain.cer (private key located at /root/.acme.sh/mail.zNN.dane.onl_ecc/mail.zNN.dane.onl.key). These certificates are used for the cockpit web based Linux administration system.
Create and publish new TLSA-Record for this certificate (in addition to old/existing TLSA)

Wait for TTL, configure new Cert in Postfix

   % postconf -e "smtpd_tls_cert_file = /root/.acme.sh/mail.zNN.dane.onl_ecc/fullchain.cer"
   % postconf -e "smtpd_tls_key_file = /root/.acme.sh/mail.zNN.dane.onl_ecc/mail.zNN.dane.onl.key"
   % postfix reload

Test the DANE configuration with https://dane.sys4.de or https://internet.nl
Remove the old TLSA-Record from the DNS-Zone, reload the DNS zone and check that only the new TLSA record is seen in the zone
Re-Test DANE with https://dane.sys4.de / https://internet.nl

13 MTA-STS and DANE

MTA-STS and DANE

14 TLS Error Reporting (TLSRPT)

TLSRPT