DANE and SMTP - BlueCat Address Manager - 8.3.2

Address Manager Administration Guide

BlueCat Address Manager

Use DANE to secure email communication.

By default, SMTP is unencrypted and could allow a malicious attacker from eavesdropping on email communications. DANE and TLSA records secure SMTP email by confirming the identity of a mail-exchange server.

The problems with SMTP

SMTP relies on multiple DNS resolvers and multiple mail-exchange servers. The complex web of DNS resolvers and mail servers leaves connections exposed to DNS attacks (such as cache poisoning) and network attacks (such as man-in-the-middle).
  • MX records, A records, and other DNS resource records can be spoofed
  • Malicious attackers can easily eavesdrop on email communication as SMTP is unencrypted and unauthenticated

SMTP encryption is an option but it must be enabled by the sender and the receiver, and even then a man-in-the-middle can circumvent this by spoofing an unencrypted DNS server and redirecting the traffic to a malicious domain.

DANE and DNSSEC solve the SMTP problem

DNSSEC secures DNS and DANE secures the network. DANE ensures you are talking to the correct certificate from the correct server.
  • DNSSEC lets you trust the mail-exchange server and trust that the TLSA record is accurately pointing to the right certificate
  • DANE's TLSA record identifies the certificate or the CA
  • Security across the email communication is enforced