1

can anyone tell me how to set up DANE and TSLA in Cloudflare? Do we need Google Cloud DNS for TLSA records? which mail server will allow using TLSA at this point?

ref link for DANE

CADENTIC
  • 13
  • 6
  • Mail servers are notoriously careless with TLS certificates and will frequently and by default use whatever TLS certificate the recipient smtp server offers, without performing any checks whatsoever. (Because although bad security practice that does offer more transport security than sending the email in clear text) So my expectation for TLSA support and current uptake in mailservers is: not enough to be relevant (yet?) – Bob Feb 14 '22 at 11:30
  • mail servers also can not encrypt .zip and attachments too, so in old genration mail servers used to suppress zip with .exe files (including gmail ) and we used to change the extensions with .txt and we would able to send the .exe files too but nowadays google blocks such binaries too including js files. question is how? @Bob – CADENTIC Feb 14 '22 at 12:21
  • The linked Cloudflare community discussion is 5 years old and no longer relevant. Cloudflare has since added TLSA records. – Paul Feb 14 '22 at 13:36
  • @Bob The mail servers are not "careless". A mail server is configured by administrators. The administrators usually have some reason for configuring the way that they configure. It is a relatively trivial configuration to require CA certificates on recipient servers. The reason this is not done is too many recipient servers are poorly configured, resulting in undeliverable mail. The same is true on on receiving mail, as many sending servers will not support encryption (my observation most commonly with lists and newsletters, likely saving on resource cost.) – Paul Feb 14 '22 at 13:42
  • @CADENTIC TLS encryption is only transport, so will encrypt everything. The filetype issues you are referring to are likely anti-mailware protection which prevents users from opening commonly infected filetypes. – Paul Feb 14 '22 at 13:44
  • attachment's encryptions are I guess mailserver specific. file filtrations are most likely anti-spam filtration eg. SpamAssassin. so user used to change the zip, exe into text and they would be able to send them out but nowadays Gmail outlook scan that too. not only the attachment's extensions. @paul pot is how did they do it? – CADENTIC Feb 14 '22 at 16:58
  • Based on your comments to my answer below, you need to provide more details for your question to be answered, as currently whatever you are trying to accomplish and your current configurations are not adequately explained in this question. – Paul Feb 19 '22 at 16:27

1 Answers1

0

Enable DNSSEC on your domain, then create relevant TLSA records in the Cloudflare interface.

DANE is for the sending server, so it will not matter which mail server you are using to receive with as long as records and TLS are configured correctly.

Paul
  • 2,755
  • 6
  • 24
  • 35
  • I have enabled DNSSEC but can not figure out how can I add up DANE while our backend computes are behind a network load balancer in oracle cloud ( at always free tier)? @paul – CADENTIC Feb 14 '22 at 16:46
  • You just need to create the TLSA record. [This tool](https://www.huque.com/bin/gen_tlsa) is one of the most straightforward, although it doesn't contain much explanation on what each option is for. You can create multiple records with different certificates. See [RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698) and its updates for more information. – Paul Feb 14 '22 at 17:06
  • Cloudflare honor TLSA record if you keep them `DNS Only` neither it manages the key while Cloudflare (internal) CA changes it nor does it improve with it. so most likely it is not beneficial with Cloudflare. Cloudflare is benificial for `https` `hsts`. – CADENTIC Feb 16 '22 at 08:03
  • DNSSEC i think is not mandatory for TLSA because within DNS management service within `OCI` you will have options for setting up DANE and TLSA – CADENTIC Feb 19 '22 at 11:03
  • Read the Introduction to [RFC 7671](https://datatracker.ietf.org/doc/html/rfc7671#section-1). This entire thing is build on DNSSEC, so I really have no idea what you are talking about. – Paul Feb 19 '22 at 16:23