DANE

As of 2018, email is generally transmitted without proper transport encryption. DANE is a proposed standard that has the potential to make widespread email transport encryption a reality.

DANE for SMTP does not only provide a trust scheme (like the certificate authority system) using DNSSEC, but also the means to know if a domain supports encrypted email transfer. Halon supports DANE since 2015.

How it works

DANE is only available over DNSSEC, and uses the TLSA record type. An email server (MTA) only needs to make one extra DNS query to use DANE, namely

$ dig freebsd.org mx +short
10 mx1.freebsd.org.
$ dig _25._tcp.mx1.freebsd.org tlsa +short
3 1 1 0A7E2F469913EA64CA98AF...

and the server's certificate is compared against the DNS record. The output (logs) from a Halon system with and without DANE look like

smtp_lookup_rcpt(["host" => "lookup-mx", "tls"=>"dane"], "", "[email protected]"); // DANE
smtp_lookup_rcpt(["host" => "lookup-mx", "tls"=>"dane"], "", "[email protected]"); // Insecure

freebsd.org
Connecting to [2001:1900:2254:206a::19:1]:25 (DNSSEC)
X.509: /OU=Domain Control Validated/OU=Gandi Standard...
DANE: validated successfully
Connection is now using TLS
...
gmail.com
Connecting to [2a00:1450:4010:c06::1b]:25
DANE: insecure name gmail.com (falling back to optional TLS)
X.509: /C=US/ST=California/L=Mountain View/O=Google Inc...
X.509 error: unable to get local issuer certificate (20)
Connection is now using TLS
...
Implementation

Halon's DANE implementation is based on the NLnet Labs ldns library's DANE functions (which are included in FreeBSD). Outbound SMTP connections are handled by our DANE-enabled SMTP client, which is used by both standard functions such as