I have a question on domain/web- and mailserver security best practices. I understand that dkim, spf and maybe a dmarc record are quasi standard and must have. What about dane? I see that not even our mailprovider has them implemented and its his business after all. So is dane/dnssec something you consider worth activating or is it not widely used or necessary?
As a side note, I became aware of dane because of this testsite. I am asking myself if it is a bit overzealaous as the results are quite poor. Even for a site that in ssl-labs is rated A+. Btw. I had to change TLS policy in neth to the newest entry else ssl-labs rated the site with B only. I was surprised that TLS 1.0 and 1.1 are active in standard configuration, but it was easy enough to change that in cockpit.
Following the points that are critisized @https://en.internet.nl and are the reason for the mediocre rating:
not reachable via ipv6 address. Really ? Is that an argument nowadays?
domain not signed with dnssec
Your web server offers an HSTS policy with a cache validity period ( max-age ) that is not sufficiently long (i.e. less than 1 year). We consider a HSTS cache validity period of at least 1 year ( max-age=31536000 ) to be sufficiently secure.
Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.
AES128-SHA256|phase out|
AES256-GCM-SHA384|phase out|
AES128-GCM-SHA256|phase out|
AES256-SHA256|phase out|
Your web server does not prefer âGoodâ over âSufficientâ over âPhase outâ ciphers (âIIâ).
ECDHE-RSA-AES256-SHA384|
ECDHE-RSA-AES128-GCM-SHA256|
Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.
DH-2048 insufficient
Your web server does not support OCSP stapling
Your website domain does not contain a TLSA record for DANE
Your web server does not offer Content-Security-Policy (CSP), or does offer CSP with certain insecure settings.
Those verdicts finally lead to a score of 47%
What do you think of those findings? Quite a difference to an A+ rated site by ssl-labsâŠ
Mailserver with dkim/spf/dmarc enabled gets a slightly better rating but still only 62% again because of missing ipv6, dnssec, dane, ciphers, key exchange parameters and client-initiated renegotiationâŠ
I would be interested in some of our expterts judgement of those results this site is delivering. Do they exagerate? I mean ipv6 - camonâŠ
And if they have some valid points - do you have recomandations to implement in a nethserver environnement to augment security?
For the record some links, that I did not yet have the time to read through and thought maybe first ask here instead of wasting time for maybe exagerated safety need:
RIPE (Reseau IP Europeen), who manages all european IPs, has confirmed 1-2 years ago that IPv4 for Europe have run outâŠ
Even if youâve got the financial backing, your only option now, if you want to start a BIG europeen Provider is to buy one with plenty of allocated IPsâŠ
Thatâs why IPv6 is needed. (Admittedly, as my clients and I myself use NethServer, I have deactivated IPv6 in all networks except for LAB netsâŠ).
Even in Switzerland, Providers like UPC will give you only IPv6, unless you ASK for IPv4, for example to use with companies VPN. Then you will get IPv4 allocatedâŠ
My 2 cents
Andy
DANE: Overrated, too panaroidâŠ
Even DMARC is not really well thought out, plenty of issues especially with mailing lists.
I donât use DMARC at all, but do use SPF and DKIM.
Hi Andy and thanks for your comment. I find it overzeaulous that they rate upon availability of ipv6, dane and so on. But maybe they have some valid points (HSTS cache-policy,ciphers,key-exchange, ocsp stapling)? Iâd be interested in some opinions but I also think that maybe spf/dkim and newest tls is enough to be on the safe side.
What about dnssec? Our provider would support full dnssec but I did not find it beneficious enough to look into it yet, apart from activating it in piHole along with using filtering quad9 upstream dns serverâŠ
These two are important for Mailserver <-> Mailserver communications, absolutely.
TLS is more a client side thing, as SMTP between servers are not encrypted, as per RFC.
If say one of your co-workers uses Home Office, and changes their Provider, you could run into IPv6 troubleâŠ
If youâre aware that you can ASK for IPv4 from most providers here, thatâs easily solved, once you know itâs an IPv6 problemâŠ
But if you donât think of IPv6 issues, you can look a long time before you solve the issues (Mailserver on Neth not reachable, for exampleâŠ).
As to DNSSEC, I quite agree. Not yet a must, more headaches than benefit at the momentâŠ
Thanks for your point of view. Iâll wait then to see wether there are settings that should be changed to improve some of their reported âissuesâ like HSTS cache-policy,ciphers,key-exchange, ocsp stapling. Btw is 2048bits for a letsencrypt certificate still ok? On my private non-neth nextcloud server on gentoo I years ago already had configured a letsencrypt certificate of 4096bit. Maybe some of the above could make it to the standard settings within nethserver if they are considered more secure, like eliptic curves instead of rsa keys for ssh for ex.?
At least one of your mail servers supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.
