Score:1

DANE and TSLA in Cloudflare

ng flag

can anyone tell me how to set up DANE and TSLA in Cloudflare? Do we need Google Cloud DNS for TLSA records? which mail server will allow using TLSA at this point?

ref link for DANE

cn flag
Bob
Mail servers are notoriously careless with TLS certificates and will frequently and by default use whatever TLS certificate the recipient smtp server offers, without performing any checks whatsoever. (Because although bad security practice that does offer more transport security than sending the email in clear text) So my expectation for TLSA support and current uptake in mailservers is: not enough to be relevant (yet?)
CADENTIC avatar
ng flag
mail servers also can not encrypt .zip and attachments too, so in old genration mail servers used to suppress zip with .exe files (including gmail ) and we used to change the extensions with .txt and we would able to send the .exe files too but nowadays google blocks such binaries too including js files. question is how? @Bob
Paul avatar
cn flag
The linked Cloudflare community discussion is 5 years old and no longer relevant. Cloudflare has since added TLSA records.
Paul avatar
cn flag
@Bob The mail servers are not "careless". A mail server is configured by administrators. The administrators usually have some reason for configuring the way that they configure. It is a relatively trivial configuration to require CA certificates on recipient servers. The reason this is not done is too many recipient servers are poorly configured, resulting in undeliverable mail. The same is true on on receiving mail, as many sending servers will not support encryption (my observation most commonly with lists and newsletters, likely saving on resource cost.)
Paul avatar
cn flag
@CADENTIC TLS encryption is only transport, so will encrypt everything. The filetype issues you are referring to are likely anti-mailware protection which prevents users from opening commonly infected filetypes.
CADENTIC avatar
ng flag
attachment's encryptions are I guess mailserver specific. file filtrations are most likely anti-spam filtration eg. SpamAssassin. so user used to change the zip, exe into text and they would be able to send them out but nowadays Gmail outlook scan that too. not only the attachment's extensions. @paul pot is how did they do it?
Paul avatar
cn flag
Based on your comments to my answer below, you need to provide more details for your question to be answered, as currently whatever you are trying to accomplish and your current configurations are not adequately explained in this question.
Score:0
cn flag

Enable DNSSEC on your domain, then create relevant TLSA records in the Cloudflare interface.

DANE is for the sending server, so it will not matter which mail server you are using to receive with as long as records and TLS are configured correctly.

CADENTIC avatar
ng flag
I have enabled DNSSEC but can not figure out how can I add up DANE while our backend computes are behind a network load balancer in oracle cloud ( at always free tier)? @paul
Paul avatar
cn flag
You just need to create the TLSA record. [This tool](https://www.huque.com/bin/gen_tlsa) is one of the most straightforward, although it doesn't contain much explanation on what each option is for. You can create multiple records with different certificates. See [RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698) and its updates for more information.
CADENTIC avatar
ng flag
Cloudflare honor TLSA record if you keep them `DNS Only` neither it manages the key while Cloudflare (internal) CA changes it nor does it improve with it. so most likely it is not beneficial with Cloudflare. Cloudflare is benificial for `https` `hsts`.
CADENTIC avatar
ng flag
DNSSEC i think is not mandatory for TLSA because within DNS management service within `OCI` you will have options for setting up DANE and TLSA
Paul avatar
cn flag
Read the Introduction to [RFC 7671](https://datatracker.ietf.org/doc/html/rfc7671#section-1). This entire thing is build on DNSSEC, so I really have no idea what you are talking about.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.