On Mon, Sep 07, 2015 at 02:09:35PM +0200, Hoggins! wrote:
I'm trying to validate my DANE records against my SMTP server, but I'm facing something that I cannot understand, because I believe I'm lacking some details about the validation failure : I'm trying to validate smtp.hoggins.fr. It gives me an error on the validator (https://dane.sys4.de/smtp/smtp.hoggins.fr), but I don't know what I need to change about that.
Is there a way to be more verbose about the validation failure ? Maybe some client-side checking I can do manually ?
The MX host for a domain is required by DNS standards to not be a CNAME alias.
hoggins.fr. IN MX 1 smtp.hoggins.fr. smtp.hoggins.fr. CNAME mailer.hoggins.fr. mailer.hoggins.fr. A 5.196.52.52
The validator tries to be more strict than some MTAs, because there may be other MTAs for which CNAMEs in MX records are not valid. Change your MX hostname to "mailer.hoggins.fr" or make "smtp" be an "A" record with the same IP addresses as "mail", rather than an alias.
Once you do that, the mail server's TLSA records are fine:
smtp.hoggins.fr. IN CNAME mailer.hoggins.fr. ; NOERROR AD=1 mailer.hoggins.fr. IN NOTMX 0 smtp.hoggins.fr. ; NOERROR AD=1 _25._tcp.mailer.hoggins.fr. IN TLSA 3 1 2 05460499a59db40f0015caffef33eecb6e6121ee35afd87ee4daf88d3f9d0946a2af16db33ba3fb964d15b8a9018ec6b87e54a4aaa804cd31b20f62026d2314e ; passed
The alias may be exposing a minor bug in the web interface, which may be querying for success with "smtp.hoggins.fr", but the ultimate DANE verification is of "mailer.hoggins.fr".
Avoid aliases in email domain names and MX hosts.