Hello List! On 2025-10-16 14:09, Viktor Dukhovni via mailop wrote: > With DANE, client certificates can and SHOULD be self-signed, but can be > from a private CA, when that makes sense. MTA server certificates can > also be self-signed, though on the MSA ports 465 and 587 a certificate > chained to one of the usual WebPKI trust-anchors are typically useful to > placate MUAs.
Does this setup work, a self-signed certificate in combination with DANE? Whenever I tried this, connections from Gmail and Protonmail (and potentially others) got dropped right after tls: Protonmail: postfix/smtpd[9723]: Anonymous TLS connection established from mail-106109.protonmail.ch[79.135.106.109]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 postfix/smtpd[9723]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 postfix/smtpd[9723]: < mail-106109.protonmail.ch[79.135.106.109]: QUIT postfix/smtpd[9723]: > mail-106109.protonmail.ch[79.135.106.109]: 221 2.0.0 Bye Gmail: postfix/smtpd[450701]: Anonymous TLS connection established from mail-qt1-x830.google.com[2607:f8b0:4864:20::830]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 postfix/smtpd[450701]: NOQUEUE: lost connection after STARTTLS from mail-qt1-x830.google.com[2607:f8b0:4864:20::830] That's with a self-signed RSA 4096 certificate. I first thought that something was amiss with my DANE setup and that it was simply falling back to TLS, but with a Let's Encrypt cert I have no problems with DANE (same setup, different certificate). Then I still altered my self-signed certificate (subjectAltName=DNS:$myhostname" and "basicConstraints=CA:FALSE"), but no joy. I never figured out where things went wrong, but it seemed silly to use a CA cert in combination with DANE. I do use CA certs for ports 465 and 587 to "placate MUAs". Any input and/or debugging help would be much appreciated. Kind regards, Edmund Lodewijks -- Edmund Lodewijks <[email protected]> TZ: UCT+2 / GMT+2 _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
