IPv6 and HE certification web server question
-
@Gertjan said in IPv6 and HE certification web server question:
I don't think HE will ask you to fire up a mail server
You misunderstand. You need to be "sage" to be able to open port 25 incoming with HE. I just asked what else you gonna gain.
-
aahhhh, I get it.
HE can be considered as an ISP, and as such - see above - the will block "TCP 25".
So being sage unblocks that ? Nice to know. -
@Gertjan Yepp. Go to your tunnel and then klick on advanced. If it is not there when you are "sage", you might have to contact support.
-
@Gertjan said in IPv6 and HE certification web server question:
Btw : there should also be a comparable test for DNSSEC test. And a Letsencrypt-like certificate (certification ) test. With these two, "DANE" becomes possible and that will be the end of all CA's as they are not needed anymore.
I stopped using DANE because it became to burdensome with Letsencrypt. Sadly.
But you are right, something certbot-like together with DANE could end things.
-
@Bob-Dig said in IPv6 and HE certification web server question:
I stopped using DANE because it became to burdensome with Letsencrypt.
Here : this will take care of your issues : https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Add these to your zone :
I have a domain name 'test-domaine.fr', and added the current 5 signing certificate hashes :$ORIGIN mail.test-domaine.fr. _25._tcp TLSA 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba _25._tcp TLSA 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 _25._tcp TLSA 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 _25._tcp TLSA 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d _25._tcp TLSA 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 _25._tcp TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
and now I'm good up until the moment these start to fade out, and new one get added and used.
Check here : https://dane.sys4.de/smtp/test-domaine.fr - one of them matches, so DANE will be ok.
I'm using Letsencrypt certs for everything : web, smtp, pop, imap, you name it. -
@Gertjan Thanks but I pass. Also, no one had a problem with my servers when DANE was failing...
-
@Bob-Dig said in IPv6 and HE certification web server question:
no one had a problem with my servers
Well they had a problem with the info you published in your DNS zone info ^^
Publish the correct info, and everybody is happy.
Like DKIM - like SPF - like DMARC. Like a correct reverse host name. H*ll, like a certificate on your web and mail server that is in the 'valid' for your servers. Like DNSSEC.
Some of them are a must have these days, some are more or less optional.
Try sending a mail from your domain - mail server to a gmail, and then check how gmail 'scores' your mail.And normally, we don't want a A+ because it's looks nice (no one cares actually), we want the A+ because it means we probably, maybe, understood the things we work with.
-
@Gertjan No A+ for me because I don't run any public web server.
And there is no score in an email to gmail right? It just says if you passed the usual stuff.
But I "enabled" gmail's Postmaster Tools now. Probably will do nothing because I rarely send email. -
@Bob-Dig said in IPv6 and HE certification web server question:
I just asked what else you gonna gain.
Understanding of IPv6 and how it functions being the top one to be honest. And the cool tshirt..
-
@Gertjan Ooooo yeah!!!
mirroredanalytics.com is up and running :) ipv6 and ipv4
Now I have to create a ipv6 webserver with the port 25 thing you guys are talking about. I am going to use iRedMail over Kali. I just have to make a new copy of Kali my current one is to old to download anything anymore...
Got to tell you I loved my old CD days with PHLAK linux Pen testing software
-
I can almost make a post in the HE forum ... almost to sage...
I just need An IPv6 enabled mail system, with working RDNS.
The last step took my gmail as a working ipv6 email. I guess there was a time that was not the case...
-
@JonathanLee If I recall with the email section - I just used their free dns and setup the PTR records, etc.
-
@johnpoz thanks for the recommendations again!!
I know the basics of IPv6. I can configure an ipv6 webserver that is behind a secure firewall inside of a IPv6 tunnel broker that tunnels inside of a IPv4 only ISP provider. I can manage and parse out AAAA records for streaming services that do not support tunnel brokers. I understand glue-records and have my website mirroredanalytics.com working (just the basics I have not spent any time really designing it. Right now, my web server is still under construction) YEAHHHH Buddy!
Plus they said I get a T-Shirt :)