Hi!
I'm testing the new exim 4.85 DANE support and it took only some days to
get in trouble...
One of our users tried to send mail to the domain education.lu.
Their domain and MX hosts are DNSSEC enabled and have TLSA RRs.
The DANE validator
https://dane.sys4.de/smtp/education.lu
says: "Unusable TLSA Records". Most likely because it is type 1 not allowed
for DANE-SMTP?
I've set hosts_try_dane = * in my SMTP transport.
Exim refuses to talk to those hosts at all with "failure while setting up
TLS session". Is this expected behavior in terms of DANE-SMTP? What's
postfix doing in this case?
Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha(a)gmx.net> | http://www.blafasel.at/
Vienna University Computer Center | Austria
I'd like to draw everyone's attention to:
https://dane.sys4.de/common_mistakes#3
When you are planning to replace certificates of SMTP servers with
published TLSA records, you MUST *first* publish a transitional
TLSA RRset:
_25._tcp.mail.example.com. IN TLSA 3 1 1 <current-digest>
_25._tcp.mail.example.com. IN TLSA 3 1 1 <next-digest>
let that "burn in" for a few TTLs, while DNS caches time out the
previous RRset containing only the current digest.
Then and only then, deploy the certificate chain whose leaf (public
key in the above example) digest is <next-digest>. Once that appears
to work, you can remove the stale digest from DNS:
_25._tcp.mail.example.com. IN TLSA 3 1 1 <next-now-current-digest>
I am seeing an uptick in the number of sites that replace their
certificates, but neglect to update their TLSA records. That's
not a good plan. DO NOT DO THAT. If maintaining valid TLSA records
is too difficult, don't publish them, you'll be forgiven.
--
Viktor.
