TLSA and DANE is missing on Cloudron mailserver
-
Interesting that DANE is a requirement. The big email providers have gone with STS instead. From what I read in the past, DANE is more secure and much easier to deploy than STS. STS required DNS and a wellknown record as opposed to DANE.
@imc67 On Cloudron, we always re-use the private key. So, you can use the public key hash. See also https://mytechiethoughts.com/linux/implementing-dane-with-certbot-using-lets-encrypt/
-
You can also use the usage 0 (based on Let's Encrypt CA). On ubuntu, if you install
hash-slinger
, it provides the records:$ tlsa --usage 0 --selector 1 --mtype 1 --port 993 my.smartserver.io Got a certificate with the following Subject: /C=US/O=Let's Encrypt/CN=R3 Use this as certificate to match? [y/N] y _993._tcp.my.smartserver.io. IN TLSA 0 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d Got a certificate with the following Subject: /C=US/O=Let's Encrypt/CN=R3 Use this as certificate to match? [y/N] y _993._tcp.my.smartserver.io. IN TLSA 0 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
-
@girish it’s indeed strange they require DANE / TLSA, that’s what their Helpdesk answered but I doubt it’s the reason for failing. I’ve checked GMail and they don’t have DANE / TLSA either.
But I have to implement it otherwise they blame us, beside that it’s better to be extra safe.
Thanks for the hint about the public key!
-
@imc67 said in TLSA and DANE is missing on Cloudron mailserver:
I also did a check on Cloudron.io but that test even fails more, in our case only DANE is missing but urgently needed as we are missing important emails.
We never implemented DNSSEC. So far, there hasn't been a need for it. All our services are protected with PKI...
-
@imc67 port 993 uses TLS (can also use 465). Port 25/587 use STARTTLS i.e it is a plain text connection which upgrades to TLS.
Thetlsa
wants somewhere to make a TLS connection to i.e it is providing the above DNS values by making a live connection to the server.edit: Whoops, I was wrong. Port 25 works fine too. Looks like it takes care of starttls. The issue was that I was trying to connect to port 25 from my home and outbound port 25 is blocked.
-
Well, I ended up enabling DNSSEC for cloudron.io I put notes on DANE setup at https://docs.cloudron.io/email/#dane . Sadly, route53 (which we use for cloudron.io) does not support TLSA records. So, no DANE for us.
-
-
-
@robi said in TLSA and DANE is missing on Cloudron mailserver:
@girish FYI, Cloudflare supports TLSA records.
Right I used it, simply and quickly