test message

Bjørn Mork bjorn at mork.no
Thu Apr 12 08:59:04 UTC 2018 

/dev/rob0 <rob0 at gmx.co.uk> writes:

> That's the wrong hostname for mail.  Check the MX for lists.isc.org.
>
> $ dig lists.isc.org. mx +noall +answer
>
> ; <<>> DiG 9.11.26 <<>> lists.isc.org. mx +noall +answer
> ;; global options: +cmd
> lists.isc.org.          7200    IN      MX      10 mx.ams1.isc.org.
> lists.isc.org.          7200    IN      MX      10 mx.pao1.isc.org.
>
> $ for Site in pao ams ; do dig _25._tcp.mx.${Site}1.isc.org. tlsa +noall +answer ; done
>
> ; <<>> DiG 9.11.27 <<>> _25._tcp.mx.pao1.isc.org. tlsa +noall +answer
> ;; global options: +cmd
> _25._tcp.mx.pao1.isc.org. 3600  IN      TLSA    3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0
>
> ; <<>> DiG 9.11.28 <<>> _25._tcp.mx.ams1.isc.org. tlsa +noall +answer
> ;; global options: +cmd
> _25._tcp.mx.ams1.isc.org. 3600  IN      TLSA    3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916


Yes, mx.pao1.isc.org is fine as shown by https://dane.sys4.de/smtp/lists.isc.org

mx.ams1.isc.org does not answer on port 25 so it's hard to tell if the
certificate is OK. 


>> Received the following record for name _443._tcp.lists.isc.org.:
>>         Usage:                          3 (End-Entity [DANE-EE])
>>         Selector:                       0 (Certificate [Cert])
>>         Matching Type:                  1 (SHA-256)
>>         Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
>> This record is valid (well-formed).
>> Attempting to verify the record with the TLS service...
>> Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
>> Got the following IP: 149.20.1.60
>> Did set servername lists.isc.org
>> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)
>
> We're drifting off topic here, but I thought DANE hadn't really made 
> it to HTTPS yet?  This appears wrong, but does it matter?

They have chosen to publish a TLSA record.  Of course it matters.  If it
didn't, then they surely wouldn't have gone through the extra hassle of
maintaining yet another TLSA record.  Would they?

I guess there is still too much money in the https business for full
DANE support in browsers.  You can use the excellent plugin from
https://www.dnssec-validator.cz/ to get a visual hint .  But it doesn't
replace a DANE validating browser.  The plugin cannot override the
certificate expiration checks built into the browsers, and it does not
ask any questions even if the TLSA validation fails.

> DANE is in use for SMTP.

Maybe. I'm not convinced there are too many strictly validating MTAs out
there...

>> They should probably consider the good advice found here:
>> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
>> 
>> and combine that with Viktors recommendations given here:
>> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
>
> Of course.  In addition I'd suggest that LE certificates, while nice 
> for HTTPS, have no place in port 25 SMTP.  465/587 submission, yes, 
> because it will help with MUAs, but for mail exchange, I use my own 
> private CA.

I would have agreed a couple of years ago. Of course you *can* use a
private CA for smtp without any issues, and there might be advantages
like being able to relay based on the CA. But LE has made it simpler to
use their CA than maintaining your own.  There is really no reason why
you shouldn't take advantage of that for smtp too.


Bjørn

More information about the dhcp-users mailing list