Содержание: If connections to the mail server are secured using an SSL/TLS certificate, you can make them more resistant to downgrade and man-in-the-middle attacks by enabling DNS-based Authentication of Named Entities (DANE). DANE also protects against website impersonation caused by certificate authorities being compromised.

In this topic, you will learn how to harden connections to the server using DANE, using SMTP as an example. Note that this topic is not meant to be an exhaustive source of information about DANE or TLSA DNS records.

Предварительные требования

Before you can harden SMTP connections using DANE for an individual domain, you need to do the following:

Securing SMTP Server Connections

Once DNSSEC is enabled for a domain, you can proceed. You can harden connections via any application protocol that is already secured using an SSL/TLS certificate via the corresponding combination of transport protocol and port (for example, «TCP/25» for SMTP, «TCP/443» for HTTPS, and so on).

Hardening connections via a specific application protocol is a two-step process:

  • First, you need to generate a hash of the SSL/TLS certificate’s public key. Although you can also use the unhashed public key or the hash of the entire certificate, in this example we will be using a public key hash.
  • Then, you need to add a TLSA DNS record specifying a number of necessary parameters, including the hash.

You need to repeat the above steps for every application protocol you want to harden.

In the example below, we provide the steps to harden SMTP connections to the mail server for an individual domain. You can use them as reference to harden other connections, if desired.

Примечание: In the example below, we will be using the SHA-256 hash of the SSL/TLS certificate’s public key, and not the entire certificate. This way, you do not need to update the TLSA record when renewing the certificate unless the public key changes as well.

Generating the certificate public key hash

  1. Войдите в Plesk.

  2. Откройте страницу Сайты и домены и найдите необходимый домен.

  3. Нажмите SSL/TLS-сертификаты.

  4. Locate the certificate securing the mail server (the one marked with «Secures mail»), and then click the download icon to download the certificate as a *.pem file.

  5. Place the *.pem file on a Linux machine, and then run the following command (make sure to change the working directory to the one containing the file beforehand, and also to replace «certificate.pem» with the actual file name):

    openssl x509 -in certificate.pem -pubkey -noout | openssl rsa -pubin -outform der | sha256sum | awk '{print $1}'

The resulting output (for example, 499e42e36d7b04529725a1f8036e0f7cf1030b4e25a3fa1988f2572e1ce70d28) is the SHA-256 hash you will use when creating the TLSA DNS record.

Adding the TLSA DNS record

  1. Войдите в Plesk.
  2. Откройте страницу Сайты и домены и найдите необходимый домен.
  3. Go to the Hosting & DNS tab, and then click DNS.
  4. Нажмите Добавить запись.
  5. Select «TLSA» from the «Record type» drop-down menu.
  6. (Optional) Specify a TTL for the record. If you are not sure about what the optimum TTL may be, leave the «TTL» field blank. In this case, the default TTL value will be used.
  7. Specify port «25». Do not add the underscore character, it will be done automatically.
  8. Specify protocol «tcp». Do not add the underscore character, it will be done automatically.
  9. Enter «mail» into the «Domain name» field.
  10. Select «3, DANE-EE» from the «Usage» drop-down menu.
  11. Select «1, SPKI» from the «Selector» drop-down menu.
  12. Select «1, SHA-256» from the «Matching type» drop-down menu.
  13. Paste the certificate public key hash you generated earlier into the «Certificate association data» field.
  14. Click OK, and then click Update to apply the changes to the DNS zone.

A TLSA DNS record is added, and the changes to the DNS zone are applied. Once the DNS changes have propagated (this usually takes around 24 hours), DANE will become active for SMTP connections to the domain.