test message

/dev/rob0 rob0 at gmx.co.uk
Wed Apr 11 23:20:25 UTC 2018 

On Wed, Apr 11, 2018 at 10:15:12PM +0200, Bjørn Mork wrote:
> /dev/rob0 <rob0 at gmx.co.uk> writes:
> 
> > If this doesn't arrive on the list right away it might mean that 

(It did arrive and was distributed right away.)

> > ISC's TLSA records were not updated yet for the new certificates. :)
> 
> Does not look like it to me:
> 
> bjorn at canardo:~$ tlsa -dv lists.isc.org

That's the wrong hostname for mail.  Check the MX for lists.isc.org.

$ dig lists.isc.org. mx +noall +answer

; <<>> DiG 9.11.26 <<>> lists.isc.org. mx +noall +answer
;; global options: +cmd
lists.isc.org.          7200    IN      MX      10 mx.ams1.isc.org.
lists.isc.org.          7200    IN      MX      10 mx.pao1.isc.org.

$ for Site in pao ams ; do dig _25._tcp.mx.${Site}1.isc.org. tlsa +noall +answer ; done

; <<>> DiG 9.11.27 <<>> _25._tcp.mx.pao1.isc.org. tlsa +noall +answer
;; global options: +cmd
_25._tcp.mx.pao1.isc.org. 3600  IN      TLSA    3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0

; <<>> DiG 9.11.28 <<>> _25._tcp.mx.ams1.isc.org. tlsa +noall +answer
;; global options: +cmd
_25._tcp.mx.ams1.isc.org. 3600  IN      TLSA    3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916

> Received the following record for name _443._tcp.lists.isc.org.:
>         Usage:                          3 (End-Entity [DANE-EE])
>         Selector:                       0 (Certificate [Cert])
>         Matching Type:                  1 (SHA-256)
>         Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
> This record is valid (well-formed).
> Attempting to verify the record with the TLS service...
> Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
> Got the following IP: 149.20.1.60
> Did set servername lists.isc.org
> FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)

We're drifting off topic here, but I thought DANE hadn't really made 
it to HTTPS yet?  This appears wrong, but does it matter?  DANE is in 
use for SMTP.

> They should probably consider the good advice found here:
> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
> 
> and combine that with Viktors recommendations given here:
> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

Of course.  In addition I'd suggest that LE certificates, while nice 
for HTTPS, have no place in port 25 SMTP.  465/587 submission, yes, 
because it will help with MUAs, but for mail exchange, I use my own 
private CA.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the dhcp-users mailing list