DANE support for cloudron.mail
-
I'm in a struggle to make cloudron.mail even more secure and tried to set up DANE. I don't know whether this is Hosting-Provider specific (currently on Netcup). So I do have difficulties to set up a valid TLSA.
steps to reproduce:
- Download public key via browser (store it as .pm)
- Generate TLSA entry for let's say port 25 via ssl-tools with
- Usage: DANE-EE
- Selector: Use subject public key
- Matching Type: SHA-256 Hash
- Certificate: Content of .pem file
- Port: 25
- Protocol: tcp
- Domain: mail.<DOMAIN.TLD>
- setup entries at netcup with the following entries
_25._tcp.mail in TLSA 3 1 1 <FINGERPRINT>If I check the entries via internet.nl I'm able to get one check for DANE Existance...but it seems to be not valid...
But it seems to be even more difficult to setup DANE with the short living Let's encrypt certificates. According to internet.nl we have to republish the entry every time the certificate is renewed and the cloudron generated certificate seems to have no trust anchor TA. So we are not able to use the TA certificate in the "DANE Rollover sceme" (Current + Issuer CA "3 1 1" + "2 1 1") as second TLSA entry...
Maybe @girish or anybody else has experience in pinning the let's encrypt certificate of cloudron with a sufficient workaround?
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login