This article applies to:
- MailMarshal 10.1.0 and above
- DNS-based Authentication of Named Entities (DANE)
Question:
- What configuration is required to implement DANE with MailMarshal?
Background:
DANE is a standard that allows senders to validate the recipient endpoint for TLS delivery. Validation is based on information about the TLS certificate provided in TLSA DNS records, served securely with DNSSEC.
DANE support is available in MailMarshal 10.1.0 and above.
DANE evaluation is disabled by default in MailMarshal 10.1.0.
For DANE compliance:
- Ensure that environmental prerequisites are configured.
- Enable DANE for sending in MailMarshal
- Optionally exclude specific domains from DANE evaluation in MailMarshal
Prerequisites:
Configuration of DNS infrastructure including DNSSEC and TLSA records is outside the scope of this article.
Inbound DANE support requires:
- DNSSEC compliant DNS infrastructure for the local domain
- TLS certificate provided in MailMarshal and inbound TLS enabled
- TLSA record in DNS for the local domain, matching the provided certificate
This information will be used by the sending server to validate DANE when sending messages.
Note that MailMarshal does not validate DANE for messages delivered to local domain servers. Security of the local domain connection is assumed to be under the full control of the domain owner.
Outbound DANE support requires:
MailMarshal Configuration:
To enable DANE evaluation for mail sending:
- In the Management Console navigate to Configuration > Advanced Settings
- Add a setting: Sender.EnableDANE (boolean) True
MailMarshal will evaluate DANE based on RFC compliance of the recipient domain.
- If all DNS lookups are secure and valid (MX, A, and TLSA) and the remote domain certificate is successfully verified, DANE validation succeeds.
- If all DNS lookups are secure and valid but the certificate of the remote server does not validate, delivery fails permanently and a Non-Delivery Report is generated.
- If the DNSSEC evaluation returns "bogus" at any level (broken DNSSEC trust chain, invalid TLSA records or expired keys), delivery fails permanently and a Non-Delivery Report is generated.
- If any of the DNS lookups is insecure or the TLSA lookup returns NXDOMAIN, DANE evaluation is terminated and standard opportunistic TLS delivery is attempted.
You can use third party web-based tools to check the DNSSEC compatibility of any domain. Some links to third party tools are provided in the Related Links below.
Excluding Domains from DANE:
To exclude recipient domains from DANE evaluation:
- Add domain wildcard entries like *@example.com to the User Group DANE Excluded Domains
- Enable the Content Analysis rule Policy Management Outbound > Ignore Dane Validation
This group and rule are created on a new install or upgrade to MailMarshal 10.1.0.
- On upgrade if the Policy Management Outbound policy group does not exist, the rule will be created in a new upgrade policy group __Upgrade__DANE Rule.
- NOTE: You must edit Filtering conditions of this policy group and ensure it is set to apply to outgoing messages only.
Limitations:
In release 10.1.0, MailMarshal only supports DANE for MX based delivery. DANE is not validated for rule-based delivery to specific hosts, such as the rule action "set message routing to host" or "send a copy of the message to host"
