TLSA and DANE is missing on Cloudron mailserver
-
Hi,
I’m managing 2 Cloudron servers for 2 local foundations that needs also be able to email with and from our local government.
Since a few weeks their email is not reaching us, it seems TLSA and DANE is needed for governments.
I also did a check on Cloudron.io but that test even fails more, in our case only DANE is missing but urgently needed as we are missing important emails.
-
Because it was so urgent (imagine we couldn't receive mails from the government who subsidise us and is partner in activities) I created a work around but it has to be repeated every time the CERTS get renewed (@girish when is this exactly?):
- go to a sub domain website (like www.) same as your mailserver is
- download the public key in PEM (convince yourself it's the wildcard cert)
- go to https://www.huque.com/bin/gen_tlsa
- leave the radio buttons as they are
- paste the PEM
- port number is 25
- transport protocol is tcp
- domain name is you mailserver domain name
- generate DNS record
- go to your DNS host and create a TLSA record with the details from the generated record in step 9.
- wait some minutes (or longer depending on propagation) and test via https://www.huque.com/bin/danecheck-smtp
This has to be repeated on the same date/time as the mail server wildcard certificate is renewed, THAT is tricky
-
Interesting that DANE is a requirement. The big email providers have gone with STS instead. From what I read in the past, DANE is more secure and much easier to deploy than STS. STS required DNS and a wellknown record as opposed to DANE.
@imc67 On Cloudron, we always re-use the private key. So, you can use the public key hash. See also https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/
-
You can also use the usage 0 (based on Let's Encrypt CA). On ubuntu, if you install
hash-slinger, it provides the records:$ tlsa --usage 0 --selector 1 --mtype 1 --port 993 my.smartserver.io Got a certificate with the following Subject: /C=US/O=Let's Encrypt/CN=R3 Use this as certificate to match? [y/N] y _993._tcp.my.smartserver.io. IN TLSA 0 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d Got a certificate with the following Subject: /C=US/O=Let's Encrypt/CN=R3 Use this as certificate to match? [y/N] y _993._tcp.my.smartserver.io. IN TLSA 0 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d -
Interesting that DANE is a requirement. The big email providers have gone with STS instead. From what I read in the past, DANE is more secure and much easier to deploy than STS. STS required DNS and a wellknown record as opposed to DANE.
@imc67 On Cloudron, we always re-use the private key. So, you can use the public key hash. See also https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/
@girish it’s indeed strange they require DANE / TLSA, that’s what their Helpdesk answered but I doubt it’s the reason for failing. I’ve checked GMail and they don’t have DANE / TLSA either.
But I have to implement it otherwise they blame us, beside that it’s better to be extra safe.
Thanks for the hint about the public key!
-
You can also use the usage 0 (based on Let's Encrypt CA). On ubuntu, if you install
hash-slinger, it provides the records:$ tlsa --usage 0 --selector 1 --mtype 1 --port 993 my.smartserver.io Got a certificate with the following Subject: /C=US/O=Let's Encrypt/CN=R3 Use this as certificate to match? [y/N] y _993._tcp.my.smartserver.io. IN TLSA 0 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d Got a certificate with the following Subject: /C=US/O=Let's Encrypt/CN=R3 Use this as certificate to match? [y/N] y _993._tcp.my.smartserver.io. IN TLSA 0 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d -
Hi,
I’m managing 2 Cloudron servers for 2 local foundations that needs also be able to email with and from our local government.
Since a few weeks their email is not reaching us, it seems TLSA and DANE is needed for governments.
I also did a check on Cloudron.io but that test even fails more, in our case only DANE is missing but urgently needed as we are missing important emails.
@imc67 said in TLSA and DANE is missing on Cloudron mailserver:
I also did a check on Cloudron.io but that test even fails more, in our case only DANE is missing but urgently needed as we are missing important emails.
We never implemented DNSSEC. So far, there hasn't been a need for it. All our services are protected with PKI...
-
@imc67 port 993 uses TLS (can also use 465). Port 25/587 use STARTTLS i.e it is a plain text connection which upgrades to TLS.
Thetlsawants somewhere to make a TLS connection to i.e it is providing the above DNS values by making a live connection to the server.edit: Whoops, I was wrong. Port 25 works fine too. Looks like it takes care of starttls. The issue was that I was trying to connect to port 25 from my home and outbound port 25 is blocked.
-
Well, I ended up enabling DNSSEC for cloudron.io
I put notes on DANE setup at https://docs.cloudron.io/email/#dane . Sadly, route53 (which we use for cloudron.io) does not support TLSA records. So, no DANE for us. -
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
-
Well, I ended up enabling DNSSEC for cloudron.io
I put notes on DANE setup at https://docs.cloudron.io/email/#dane . Sadly, route53 (which we use for cloudron.io) does not support TLSA records. So, no DANE for us. -
@robi said in TLSA and DANE is missing on Cloudron mailserver:
@girish FYI, Cloudflare supports TLSA records.
Right I used it, simply and quickly
-
Well, I ended up enabling DNSSEC for cloudron.io
I put notes on DANE setup at https://docs.cloudron.io/email/#dane . Sadly, route53 (which we use for cloudron.io) does not support TLSA records. So, no DANE for us. -
Just a quick note here. Route53 supports TLSA records now.
