Feature request: Act as own nameserver - TLS reporting (postfix-tlspol)

lucaat

Hello!

I think it would make managing DNS much easier if mailcow had a dns server where it acts as the nameserver for itself.

the advantage would be that it could create all necessary dns records and at setup you would only have to create GLUE records for your custom mailcow nameservers at your registrar.

Like IPv4/6, -> 1&2 for ns.mailcowbox.tld, ns2.mailcowbox.tld (in practice most TLD allow the same IPs for both nameservers)

Mail-in-a-box works like this.

Without this updated TLSA records seem to be a huge manual chore for DANE to keep working?

and then I was wondering what version mailcow uses for postfix? In 3.10.x you can start sending TLS reports (with tlsreporter) I thought this would be a nice addition since you are already doing postfix-tlspol.

mlcwuser

lucaat Mail-in-a-box works like this.

Yes, but…

As far as I know, Mail-in-a-Box doesn’t rotate the keys either, meaning there are no subsequent changes to the DNS records. Therefore, the only real advantage is that you don’t have to set them up manually, which would be a one-time task with Mail-in-a-Box as well.

However, there are some disadvantages, such as the fact that you only get one authoritative DNS server for your domains by default. This means that either you have to use a secondary nameserver provider or you have to set up and manage any secondary servers yourself. Okay, there’s not much to manage on a secondary nameserver, but still, you should have at least one.

And yes, in practice, you can use the same IP address for both ns1 and ns2 with most TLDs. However, this violates the standard and, more importantly, provides no redundancy. If this one server on which the DNS is running goes down for some reason, all the domains you host on it will no longer work. Therefore, in my opinion, it is better to use a DNS provider. Or, if you absolutely want to host DNS yourself, you should at least run two servers, preferably in two different data centres.

ETNyx

Well, what are you solving? TLSA and DANE?

Use TLSA 3 1 1, MC does not rotate his keys, it survive usual cert 90 days expiration. So set it once and forgot.

You do not need add unnecessary complexity and surface attack to MC and in fact raising maintenance cost,..

For your last question I believe Postifx is 3.7 due to currently locking on oldstable Debian.

lucaat

With self hosted dns you solve automatic key rotation for TLSA/DANE, so you dont have to deal with manual updates on cert renewals.

You also save a lot of time, not having to manually set records. MC could come up with the dkim, dmarc, mx, spf records on its own and make it work out of the box whenever glue records are set.

DANE might add “complexity” but it reduces the attack surface.

Mailcow now ships with postfix-tlspol which is a MTA-STS and DANE resolver. So you can offer both. tlspol prefers DANE.

postfix-tlspol can also do TLS-Reporting which is part of the MTA-STS spec (but only if it runs postfix 3.10.x so a very recent version)

https://datatracker.ietf.org/doc/html/rfc8460

Both of these mechanisms push email security further for the better of everyone.

ETNyx

Ok, first, let’s put aside TLS-Reporting and Postfix versions, that’s out of scope and I believe will be implemented, hold up is most-likely that, update to Trixie is shipped whit huge change in configuration that is hard to do, to not break peoples instance,…) so please be patient there.

lucaat With self hosted dns you solve automatic key rotation for TLSA/DANE, so you dont have to deal with manual updates on cert renewals.

You also save a lot of time, not having to manually set records. MC could come up with the dkim, dmarc, mx, spf records on its own and make it work out of the box whenever glue records are set.

Ok, let’s assume vanilla MC, tell me how often you need to change your DNS records? How much time you spend configuring your DNS? From what you wrote I feel you spend so much time in this, that I think something is wrong in you MC, because I do not feel i need own NS to be automated.

lucaat DANE might add “complexity” but it reduces the attack surface.

Nope, current MC does not prevent you from using DANE. But adding public facing DNS definitely add attack surface.

lucaat Mailcow now ships with postfix-tlspol which is a MTA-STS and DANE resolver. So you can offer both. tlspol prefers DANE.

Ok, I that’s current state, what adding public facing DNS offer/add? What I’m missing?

lucaat

Ah I think my virtualmin still uses 3 0 1 instead of 3 1 1 - so 3 1 1 survives cert renewals only if an entirely fresh cert is requested it needs to be updated?

I know it is otherwise a one time thing, but filling in all the records feels like a chore.

I like the instant functioning of new subdomains when using authorative dns locally, you never have to deal with external tinkering.

ETNyx

Yes,
3 0 1 hashes the full certificate — breaks on every renewal, so you need to rotate TLS record.
3 1 1 hashes only the public key — survives every renewal as long as the key itself is not rotated.

Key we are talking about private key on your server, check git

lucaat I know it is otherwise a one time thing, but filling in all the records feels like a chore.

I like the instant functioning of new subdomains when using authorative dns locally, you never have to deal with external tinkering.

I understand, still do not think worth the effort, if so ask for extending API to expose necessary DNS settings, than you can make yourself bridge. Any good DNS provider is allowing managing DNS records over his API. Or config your own server, that is properly setup whit redundancy as usual.