[mailop] DANE with self-signed cert trouble

Thu, 30 Oct 2025 01:03:58 -0700 

Hello List!


On 2025-10-16 14:09, Viktor Dukhovni via mailop wrote:

    With DANE, client certificates can and SHOULD be self-signed, but
can be
    from a private CA, when that makes sense.  MTA server certificates
can
    also be self-signed, though on the MSA ports 465 and 587 a
certificate
    chained to one of the usual WebPKI trust-anchors are typically
useful to
    placate MUAs.


Does this setup work, a self-signed certificate in combination with
DANE?

Whenever I tried this, connections from Gmail and Protonmail (and
potentially others) got dropped right after tls:

  Protonmail:
  postfix/smtpd[9723]: Anonymous TLS connection established from
mail-106109.protonmail.ch[79.135.106.109]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
  postfix/smtpd[9723]: smtp_stream_setup: maxtime=300 enable_deadline=0
min_data_rate=0
  postfix/smtpd[9723]: < mail-106109.protonmail.ch[79.135.106.109]: QUIT
  postfix/smtpd[9723]: > mail-106109.protonmail.ch[79.135.106.109]: 221
2.0.0 Bye

  Gmail:
  postfix/smtpd[450701]: Anonymous TLS connection established from
mail-qt1-x830.google.com[2607:f8b0:4864:20::830]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
  postfix/smtpd[450701]: NOQUEUE: lost connection after STARTTLS from
mail-qt1-x830.google.com[2607:f8b0:4864:20::830]

That's with a self-signed RSA 4096 certificate.

I first thought that something was amiss with my DANE setup and that it
was simply falling back to TLS, but with a Let's Encrypt cert I have no
problems with DANE (same setup, different certificate).

Then I still altered my self-signed certificate
(subjectAltName=DNS:$myhostname" and "basicConstraints=CA:FALSE"), but
no joy. I never figured out where things went wrong, but it seemed silly
to use a CA cert in combination with DANE.

I do use CA certs for ports 465 and 587 to "placate MUAs".

Any input and/or debugging help would be much appreciated.

Kind regards,
Edmund Lodewijks


-- 
Edmund Lodewijks <[email protected]>
TZ: UCT+2 / GMT+2
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to