HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add a new idea Subscribe
Status Needs Review
Workspace Domino
Categories Security
Created by Guest
Created on Sep 30, 2024

RELATED IDEAS

Domino should support modern SMTP related protocols DANE, MTA-STS and TLS-RPT

Domino is a bit behind in implementing e-mail security protocols. While DMARC is waiting for implementation, new protocols are already around: DANE, MTA-STS and TLS-RPT.

1. DANE (DNS-Based Authentication of Named Entities)

  • RFC 6698: The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)
    This RFC defines how the DANE protocol is used to associate TLS certificates with domain names using DNSSEC.

  • RFC 7672: SMTP Security via Opportunistic DANE TLS
    This RFC extends DANE for SMTP, describing how to use DANE with SMTP to protect email delivery over TLS and how to ensure the integrity of TLS certificates through DNSSEC.

2. MTA-STS (Mail Transfer Agent Strict Transport Security)

  • RFC 8461: SMTP MTA Strict Transport Security (MTA-STS)
    This RFC defines MTA-STS, which allows a domain to declare its ability to support secure (TLS) connections and require sending mail servers to use it, thereby preventing downgrade attacks.

3. TLS-RPT (SMTP TLS Reporting)

  • RFC 8460: SMTP TLS Reporting
    This RFC defines a mechanism for domains to publish policies for TLS reporting and provides a framework for mail servers to send reports on TLS failures or delivery issues.


To fully support DANE, MTA-STS, and TLS-RPT, a mail server must:

  1. For DANE:

    • Perform DNSSEC validation.

    • Support and enforce TLSA records.

    • Ensure strict use of TLS.

  2. For MTA-STS:

    • Fetch and enforce MTA-STS policies via DNS and HTTPS.

    • Validate MX hosts and ensure TLS connections as per policy.

  3. For TLS-RPT:

    • Collect and report issues with TLS connections.

    • Support sending JSON-based reports to the appropriate domain contacts.

To split this between incoming and outgoing server support:

1. For Incoming Mail:

  • Validate DNSSEC for the domains sending you mail.

  • Validate the sender’s TLSA records (DANE).

  • Log any connection issues and be prepared to generate TLS-RPT reports if requested.

2. For Outgoing Mail:

  • Before sending mail, check for the existence of an MTA-STS policy or TLSA records for the recipient domain.

  • Fetch and parse the MTA-STS policy and ensure TLS is used if required.

  • Validate the recipient server's certificate against any existing TLSA records.

  • Log failed TLS connections and generate a report for domains with TLS-RPT policies in place.


-- Martijn de Jong (e-office)

  • Attach files
Copyright © 2023 HCL Technologies Limited