DANE support for cloudron.mail
-
I'm in a struggle to make cloudron.mail even more secure and tried to set up DANE. I don't know whether this is Hosting-Provider specific (currently on Netcup). So I do have difficulties to set up a valid TLSA.
steps to reproduce:
- Download public key via browser (store it as .pm)
- Generate TLSA entry for let's say port 25 via ssl-tools with
- Usage: DANE-EE
- Selector: Use subject public key
- Matching Type: SHA-256 Hash
- Certificate: Content of .pem file
- Port: 25
- Protocol: tcp
- Domain: mail.<DOMAIN.TLD>
- setup entries at netcup with the following entries
_25._tcp.mail in TLSA 3 1 1 <FINGERPRINT>If I check the entries via internet.nl I'm able to get one check for DANE Existance...but it seems to be not valid...
But it seems to be even more difficult to setup DANE with the short living Let's encrypt certificates. According to internet.nl we have to republish the entry every time the certificate is renewed and the cloudron generated certificate seems to have no trust anchor TA. So we are not able to use the TA certificate in the "DANE Rollover sceme" (Current + Issuer CA "3 1 1" + "2 1 1") as second TLSA entry...
Maybe @girish or anybody else has experience in pinning the let's encrypt certificate of cloudron with a sufficient workaround?