Le 07/09/2015 18:02, Viktor Dukhovni a écrit : >> > I'm trying to validate my DANE records against my SMTP server, but I'm >> > facing something that I cannot understand, because I believe I'm lacking >> > some details about the validation failure : I'm trying to validate >> > smtp.hoggins.fr. It gives me an error on the validator >> > (https://dane.sys4.de/smtp/smtp.hoggins.fr), but I don't know what I >> > need to change about that. >> > >> > Is there a way to be more verbose about the validation failure ? Maybe >> > some client-side checking I can do manually ? > The MX host for a domain is required by DNS standards to not be a > CNAME alias. > > hoggins.fr. IN MX 1 smtp.hoggins.fr. > smtp.hoggins.fr. CNAME mailer.hoggins.fr. > mailer.hoggins.fr. A 5.196.52.52 > > The validator tries to be more strict than some MTAs, because there > may be other MTAs for which CNAMEs in MX records are not valid. > Change your MX hostname to "mailer.hoggins.fr" or make "smtp" be an > "A" record with the same IP addresses as "mail", rather than an > alias. > > Once you do that, the mail server's TLSA records are fine: > > smtp.hoggins.fr. IN CNAME mailer.hoggins.fr. ; NOERROR AD=1 > mailer.hoggins.fr. IN NOTMX 0 smtp.hoggins.fr. ; NOERROR AD=1 > _25._tcp.mailer.hoggins.fr. IN TLSA 3 1 2 > 05460499a59db40f0015caffef33eecb6e6121ee35afd87ee4daf88d3f9d0946a2af16db33ba3fb964d15b8a9018ec6b87e54a4aaa804cd31b20f62026d2314e > ; passed > > The alias may be exposing a minor bug in the web interface, which > may be querying for success with "smtp.hoggins.fr", but the ultimate > DANE verification is of "mailer.hoggins.fr". > > Avoid aliases in email domain names and MX hosts.
Will do, thanks !
Hoggins!
signature.asc
Description: OpenPGP digital signature
