Dear Viktor,
Thank you very much for your high-quality and very useful replies.
Am 11.07.23 um 19:45 schrieb Viktor Dukhovni:
On Tue, Jul 11, 2023 at 07:01:07PM +0200, Paul Menzel wrote:
Am 11.07.23 um 18:48 schrieb Benny Pedersen:
Paul Menzel skrev den 2023-07-11 13:35:
Validating the SMTP DANE setup of, it results in success but the details show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not trusted: (27)
It’d be great if you pointed me into the direction, how to get more details for these issues.
# posttls-finger dane.sys4.de ...
https://dane.sys4.de is the Web SMTP DANE validator.
Feel free to ignore distracting/irrelevant follow up comments.
The code behind https://dane.sys4.de is *a* SMTP DANE validator, but and though still useful, is no longer necessarily deserving of being called *the* SMTP DANE validator. It is not actively maintained, and is now a bit dated.
I didn’t know that. Thank you for the clarification.
If you're willing to settle for data that is up to ~24 hours old, and your domain is covered by the DANE survey at
https://stats.dnssec-tools.org/look there first. Then if you think you've fixed the reported issues, and want a real-time sanity check (don't want to wait for the next run), look at dane.sys4.de. Presently survey runs start shortly after 16:00 UTC and complete shortly after 20:00 UTC (each survey run performs ~100 million DNS queries, and makes around 20k SMTP connections.
That looks very useful. I am going to use that first from now on.
Kind regards,
Paul