Skip to content

Adding DNS (TLSA - Record) and match against SMTP-server public fingerprint #5705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DRieper opened this issue Mar 17, 2025 · 1 comment
Open

Adding DNS (TLSA - Record) and match against SMTP-server public fingerprint #5705

DRieper opened this issue Mar 17, 2025 · 1 comment
Labels
A:monitor Issues or PRs related to monitors feature-request Request for new features to be added type:enhance-existing feature wants to enhance existing monitor

Comments

@DRieper
Copy link

DRieper commented Mar 17, 2025

📑 I have found these related issues/pull requests

I realized that many smal and medium sized companies do not support DANE for their mailservers.
In fact the privacy of mail communication contains a lot of sensitive information, they are partly still vulnerable through man-in-the-middle 'downgrade attack'.

🏷️ Feature Request Type

New monitor

🔖 Feature description

Often I heard that they can not reliably monitor "DANE" and validate the TLSA DNS-record against the public-fingerprint of the SMTP servers certificate. Since some are using letsencrypt and are afraid to miss the renewal..without pinning the csr/key.

Since I love your lightweight smoth running uptime-kuma, I would suggest to expand it if possible with that feature.

I think it would already be sufficient just to enter the expected value of the TLSA record and check against openssl for the verification lines.

✔️ Solution

Example how to check it through dig:

:~$ dig +noall +answer _25._tcp.mail.protonmail.ch TLSA
_25._tcp.mail.protonmail.ch. 821 IN     TLSA    3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E
_25._tcp.mail.protonmail.ch. 821 IN     TLSA    3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1

And gathering the Information with:

openssl s_client -starttls smtp -connect mail.protonmail.ch:25 -dane_tlsa_domain mail.protonmail.ch -dane_tlsa_rrdata "3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947ACC8399E1" </dev/null 2>/dev/null

Result:

SSL handshake has read 3951 bytes and written 433 bytes
Verification: OK
Verified peername: *.protonmail.ch
DANE TLSA 3 1 1 ...8f7d10a4469a947acc8399e1 matched EE certificate at depth 0

❓ Alternatives

No response

📝 Additional Context

No response
@DRieper DRieper added the feature-request Request for new features to be added label Mar 17, 2025
@CommanderStorm CommanderStorm added A:monitor Issues or PRs related to monitors type:enhance-existing feature wants to enhance existing monitor labels Mar 25, 2025
@CommanderStorm
Copy link
Collaborator

CommanderStorm commented Mar 25, 2025
edited
Loading

I have no idea who/what dane is, but we would love a PR assuming this is in the DNS spec.

The dns monitor is defined here:

For things like this, I would expect a testcase as well to ensure that we don't regress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A:monitor Issues or PRs related to monitors feature-request Request for new features to be added type:enhance-existing feature wants to enhance existing monitor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CommanderStorm @DRieper