Topic: dnssec and dane: safer email for sme users

[hanscees]

Hi,

in the past I have repeatedly pleaded the case that sme server should use postfix, or any mail system that implements sending email by default with encryption, thus TLS.

In the past the answer was no because:
1- changing to postfix is a lot of work
2- since email servers usually use self-signed certificates a MITM attack cannot be ruled out. So that solution is not very good

In the past C't I red a story about the dane protocol that might just solve this problem in the future.
http://www.internetsociety.org/deploy360/resources/dane/

In short the dane protocol work like this:
- a mailserver that accepts TLS connections publishes this in its MX or other dns records
- these dns records should be secured by dnssec, or numerous other attacks are still possible (dns spoofing etc)
- a mailserver that has such tls mail server records should not be connected to unencrypted
- with dnssec you can also sign your self-signed TLS certificates. Effectively dnssec acts as an alternative trust-chain system.

In the after-Snowden age I feel users of Sme deserve safest email possible. So it would benefit users if the dane protocol appears on the planning.

Of course this means much work:
- another mail might be neccesary, though I am not sure
- but the dns subsystem needs to be replaced by something dnssec aware. Perhaps power-dns is an option as this uses a mysql backend, but of course other possibilties exist.

Just my two cents.

[janet]

hanscees

Please post your comments to the devinfo mailing list,
and
raise a new bug, under NFR (New Feature Request).

That's the way (devinfo) to start a discussion between developers who will be the ones most likely to implement this,
&
to have a placeholder (bug report) for this type of new feature, & further development work etc can take place there if deemed appropriate.

I think the move to postfix has been suggested many years ago by lead developers of the day, but they no longer have a big involvement in sme server, so the concept is valid & some developers would agree with you.

1- changing to postfix is a lot of work

That is probably the main impediment, but now that sme9 is out, developers attention can turn to other things, once most contribs are updated.
The sme9 base OS (CentOS 6.5) is a much better platform under which to do development work.

[hanscees]

hanscees

Please post your comments to the devinfo mailing list,
and
raise a new bug, under NFR (New Feature Request).

That's the way (devinfo) to start a discussion between developers who will be the ones most likely to implement this,
&
to have a placeholder (bug report) for this type of new feature, & further development work etc can take place there if deemed appropriate.

I think the move to postfix has been suggested many years ago by lead developers of the day, but they no longer have a big involvement in sme server, so the concept is valid & some developers would agree with you.

That is probably the main impediment, but now that sme9 is out, developers attention can turn to other things, once most contribs are updated.
The sme9 base OS (CentOS 6.5) is a much better platform under which to do development work.

just filed this bug nfr
http://bugs.contribs.org/show_bug.cgi?id=8532


I don't know how to post to dev maillist

[stephdl]

http://lists.contribs.org/mailman/listinfo/

this is the way

[Xavier.A]

hi hanscees,

I think you are right to do it here and not somewhere else. this request should be discussing with users and not only with Koozali developpers !

the use of postfix is a really good idea ! why ? may be someone could explain to the users why Postfix (MTA) could be a great enhancement for SME !

At SME Server EU, we are working on a lot of new enhancements (the interface ergonomy and a responsive server-manager, software deployment manager, theme manager, the use of container- LXC/Docker/Vz for complex deployment, multi SSL certificats., addon's Store...etc) you 're welcome if you want to work with us on this sort of enhancements !

We are thinking that we should do this sort of developpement ourself

Regards

[janet]

Xavier.A

I think you are right to do it here and not somewhere else. this request should be discussing with users and not only with Koozali developpers !

I think you are wrong.
What can the users do about integrating postfix into sme server, nothing !
You & they can talk all you want but nothing will happen to the code unless skilled developers decide to do so.
It needs skilled developers to integrate something as complex as a new mail agent into the core sme server.
It's not a simple task !

I'm not suggesting that you not talk about it wherever you want, but unless you are talking to developers in the right place, then nothing will happen.

We are thinking that we should do this sort of developpement ourself...

Why do it yourselves, why not give/add your expertise and contribute to sme/Koozali server.
Your group seems intent on creating a competitor to sme/Koozali server, which is a very similar product.
Join the developers here & make sme/Koozali even better, rather than going off & rolling your own version of sme server.
If people combined their efforts here, rather than going off & creating a spin off, then the resultant sme/Koozali server would be a better product than either sme/Koozali or smeserver EU versions.

Think about that.

It's the same concept with the Italian group, better to add to a project & make it stronger rather than going off & making a weaker version of the same thing.

I think you are just trying to entice knowledgable people like hanscees over to your group, poaching talent.

[Xavier.A]

Janet,

Usually I don't take the time to answer to you, you seem to be experienced enough to understand why.

I think you are wrong.
What can the users do about integrating postfix into sme server, nothing !
You & they can talk all you want but nothing will happen to the code unless skilled developers decide to do so.
It needs skilled developers to integrate something as complex as a new mail agent into the core sme server.
It's not a simple task !

I'm not suggesting that you not talk about it wherever you want, but unless you are talking to developers in the right place, then nothing will happen.

How many good open source MTA solutions :

• Exim
• Sendmail
• Postfix

Why Postfix could be a better choice than Sendmail or Exim? That's what  we should talk about here, no?

hanscees present us good reasons. It is worth that we try to have a real technical debate, no?

I think you are just trying to entice knowledgable people like hanscees over to your group, poaching talent.

Well Janet, you are right : what news ! 

Regards

[guest22]

Xavier,

can you please take your personal crusade off-line and discuss your issues with the Koozali team directly please?

The Koozali team and the devinfo mailing list are the ONLY way to try to start discussions like these (and many more of yours) with the right audience.

Please don't try the silly game of convincing/showing innocent readers that "you are right" and we all know by now that you are knowledgeable, kudos for that. I hope you will keep sharing that with devinfo mailing list and our bugzilla.

SME Server philosophy is all about sustainability, security and usability. To make that happen and maintained over all the year that have past and the years still to come, many, many factors have to be taken into consideration. Then, and only then, technology choice and implementation come into play, with it's own challenges.

We live in a dynamic world, SME Server has chosen the safe side of that world, and not the bleeding edge. That means what SME server produces simply works in a very, very wide range of scenarios. Not at the least very secure and stable.

See you on the devinfo list!

guest

[janet]

Xavier.A

Well thank you for answering me, I feel privileged.

Why Postfix could be a better choice than Sendmail or Exim? That's what  we should talk about here...

Hanscees has done the right thing & followed our suggestion to post a bug & join devinfo mail list, see
http://bugs.contribs.org/show_bug.cgi?id=8532
So why not you too ?

You may have technical knowledge to discuss the pros & cons of these MTA's, but many readers here do not, so you are wanting to push your convincing arguments onto less knowledgable people who may blindly accept your reasoning etc.

Discuss it in the right place, with your peer group, where your technical expertise is matched by the technical expertise of other experienced & knowledgable developers.
On devinfo mail list or in bugzilla as a NFR, you can toss around & explore the serious technical arguments for & against switching to another MTA.
You can put a link in these forums to those posts, so all can read it & comment if they wish.

I think there may be a general attitude that transferring to a different (better) MTA is appropriate, so I do not see that as a great argument to be won. Yes, which MTA & why is a valid question, but the biggest challenge is the man/women developer hours available to do this.
Unfortunately the current sme/Koozali team is very short of skilled developers with free time to spare & give, so your input & services would be greatly appreciated, but you will need to work as a team member.

RequestedDeletion's comments are well said & I agree with them.

There is much more to good software than just the technical design.
SME server has been around a long time, with a proven track record of security, stability, support infrastructure (web sites, wiki etc), ease of use & a large user base, & has survived many community issues (a good point rather than a negative one).
Any new spin off version of the OS will have a hard time attaining that track record, it is far better in my opinion to add to the existing product, & all that it is, rather than doing your own thing.