Securing Security - DANE TLSA Monitoring

Patrick Koetter und Carsten Strotmann, sys4 AG

Created: 2023-10-31 Tue 09:23

DANE TLSA Monitoring

The need for monitoring

  • Traditional SMTP-TLS usage is very forgiving, on errors the protocol switches to plain text communication (opportunistic TLS)
  • With DANE, errors in TLS results in an hard error - the communication will fail
    • Mail will not be delivered and might bounce back to the sender

Things to monitor

  • Operators of DANE secured mail services should monitor their setup for the following error conditions
    • Existence of a TLSA record
    • DNSSEC validation errors on the TLSA record
    • Number of TLSA records (to prevent TLSA records from accumulating after certificate rollover)

A Bash function to test DANE-SMTP (1)

  • BASH function danesmtp (source: Viktor Dukhovni):

danesmtp() {
   local host=$1; shift
   local opts=(-starttls smtp -connect "$host:25" \
               -verify 9 -verify_return_error -brief \
               -dane_ee_no_namechecks -dane_tlsa_domain "$host")
   set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | egrep -i '^[23] [01] [012] [0-9a-f]+$')
   while [ $# -ge 4 ]
   do
      opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4")
      shift 4
   done
   (sleep 1; printf "QUIT\r\n") | openssl s_client "${opts[@]}"
}

A Bash function to test DANE-SMTP (2)

  • Usage:

# danesmtp mx01.posteo.de
verify depth is 9
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: businessCategory = Private Organization, jurisdictionC = DE, jurisdictionST = Berlin, serialNumber = HRA 47592, C = DE, L = Berlin, O = Posteo e.K., CN = posteo.de
Hash used: SHA512
Verification: OK
DANE TLSA 3 1 1 ...b86d75419e2f593e2ab08399 matched EE certificate at depth 0
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: ECDH, P-256, 256 bits
250 DSN
DONE

DANE Monitoring scripts

End

Questions? Answers!