Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

DANE support for cloudron.mail

Scheduled Pinned Locked Moved Feature Requests
email
1 Posts 1 Posters 74 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    M Offline
    m-si
    wrote on last edited by girish
    #1

    I'm in a struggle to make cloudron.mail even more secure and tried to set up DANE. I don't know whether this is Hosting-Provider specific (currently on Netcup). So I do have difficulties to set up a valid TLSA.

    steps to reproduce:

    1. Download public key via browser (store it as .pm)
    2. Generate TLSA entry for let's say port 25 via ssl-tools with
    • Usage: DANE-EE
    • Selector: Use subject public key
    • Matching Type: SHA-256 Hash
    • Certificate: Content of .pem file
    • Port: 25
    • Protocol: tcp
    • Domain: mail.<DOMAIN.TLD>
    1. setup entries at netcup with the following entries
    _25._tcp.mail    in  TLSA    3 1 1 <FINGERPRINT>
    

    If I check the entries via internet.nl I'm able to get one check for DANE Existance...but it seems to be not valid...

    But it seems to be even more difficult to setup DANE with the short living Let's encrypt certificates. According to internet.nl we have to republish the entry every time the certificate is renewed and the cloudron generated certificate seems to have no trust anchor TA. So we are not able to use the TA certificate in the "DANE Rollover sceme" (Current + Issuer CA "3 1 1" + "2 1 1") as second TLSA entry...

    Maybe @girish or anybody else has experience in pinning the let's encrypt certificate of cloudron with a sufficient workaround?

    1 Reply Last reply
    3

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.