I’ve been trying to update my SMTP servers to get better scores on Internet.nl. I’ve got the Microsoft 365 servers up to 100% now that they support DANE and DNSSEC. Still working on figuring out the Dovecot/Postfix servers though as it involves updating a TLSA record whenever the TLS certificates change.
Should nine.testrun.org and other chatmail relays implement DANE and get a 100% up to date score on the internet.nl tests? Email test: nine.testrun.org
chatmail/relay uses DNSSEC-verifying resolver (unbound) and filtermail-transport (feat: Use filtermail for delivery to remote MTAs by j-g00da · Pull Request #916 · chatmail/relay · GitHub) also has DNSSEC-verifying resolver, but currently filtermail-transport does not look at TLSA. It makes some sense to implement TLSA support in filtermail-transport and reject connection if TLSA exists but certificate does not match. This might prevent MITM attacks for the case where chatmail relay DNS zone is signed with DNSSEC and attacker can issue a certificate. You can however already prevent issuing a valid certificate for your server by a MITM attacker with CAA record, so not clear in which scenario TLSA would help. Maybe for self-signed certificates it would be useful, in case you want to get rid of WebPKI (Let’s Encrypt) dependency and rely on DNSSEC only. chatmail/relay currently allows self-signed certificates for domains that start with _ because they cannot get a WebPKI certificate, they are used for testing but with TLSA support might be made somewhat secure on server-to-server level.
On the client side it is more difficult to make use of TLSA. With system resolver on Android you can only resolve A/AAAA records, with other operating systems it is similar. Browsers just build Cloudflare/Google DoH resolver in the application. Otherwise we would be able to make some use of SHA-256 hash of SPKI, there is even a PR merged that uses the same format internally.