On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote:
> I�ve juste enable DANE and https://dane.sys4.de <https://dane.sys4.de/>
> is green when I test my domain numeezy.com <http://numeezy.com/>. Also
> postfix SMTP client says "Verified TLS connection established to
> mail-in-1.numeezy.com[188.165.154.163]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)"
>
> Maybe some DANE expert here can definitely confirm that my setup is sane.
Yes, your DANE TLSA records match for both the primary and secondary
MX hosts. You've also *not* made the mistake of using the same
certificate for both the primary and secondary MX hosts, thereby
risking an outage of both when you replace a single certificate.
And you're using "3 1 1" records which are stable when you renew
your certificate with the same private key. So overall, quite
good, however you can do even better, see:
https://www.ietf.org/mail-archive/web/uta/current/msg01498.html
based on which I would strongly recommend:
_25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1
cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48
_25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 1
d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
_25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1
8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e
_25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 1
d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
The above is based on the below observed DNS records, certificate
chain and associated matching TLSA records:
numeezy.com. IN MX 1 mail-in-1.numeezy.com.
numeezy.fr. IN MX 1 mail-in-1.numeezy.com.
medialta.com. IN MX 1 mail-in-1.numeezy.com.
medialta.fr. IN MX 1 mail-in-1.numeezy.com.
medialta.eu. IN MX 1 mail-in-1.numeezy.com.
mail-in-1.numeezy.com. IN A 188.165.154.163 ; passed
_25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1
cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48 ; passed at
depth=0
;
; Depth: actual=0, wire=0
; Subject = CN=mail-in-1.numeezy.com,O=Numeezy
SARL,L=PARIS,ST=Ile-de-France,C=FR
; Issuer = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
Authority,O=StartCom Ltd.,C=IL
; Valid from 2016-05-17T12:16:30Z until 2019-05-17T12:16:30Z
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 1
cf43899685886c77e6e86d6a063c957df7858e7ea1bc3896b464fc6502685b48
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 0 1
50f417dbdab3677847eb0107d363044f4166eed1bb333daf6320d6b8daefb70e
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 1 2
5061dc02e6df14ad409acb5c2bb4992f80e1a5a1cc53faa5d81bd42d644010260e9a94747599c49df6b576981a6c6bf02b86764758c2bf4008ae6387f558a7c4
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 3 0 2
b7b3d2036ad1d77d6c187e1f3fd9de28fc3f74af725a48c242bebc8eb1c4af56b06747bb1622cb27ef696f8741d09066d640768f9caa944a8981da174752a058
;
; Depth: actual=1, wire=1
; Match = mail-in-1.numeezy.com
; Subject = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
Authority,O=StartCom Ltd.,C=IL
; Issuer = CN=StartCom Certification Authority,OU=Secure Digital
Certificate Signing,O=StartCom Ltd.,C=IL
; Valid from 2015-12-16T01:00:05Z until 2030-12-16T01:00:05Z
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 1
d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 0 1
ea4e5d2b9c99560f13dd094b8121a623bfdd902038dfd6d772ce32ffabec094d
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 1 2
d26da4f0733b1f4af61f9db3c0e5bd6e379022e41038cb2cf7f38e273bdcaf98e0afd9b119e0fd85b090afec3d46020cbaee0158015666360ccc73418a0d3794
; _25._tcp.mail-in-1.numeezy.com. IN TLSA 2 0 2
6a4bd383b21927f44f09263819d2917edbd8a8ea58d97dac48c26a1e88e5c7062691366f79300705da4b68b5bf9153477241f7603faf4ac03d1cde69abaef328
numeezy.com. IN MX 5 mail-in-2.numeezy.com.
numeezy.fr. IN MX 5 mail-in-2.numeezy.com.
medialta.com. IN MX 5 mail-in-2.numeezy.com.
medialta.fr. IN MX 5 mail-in-2.numeezy.com.
medialta.eu. IN MX 5 mail-in-2.numeezy.com.
mail-in-2.numeezy.com. IN A 37.59.203.174 ; passed
_25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1
8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e ; passed at
depth=0
;
; Depth: actual=0, wire=0
; Subject = CN=mail-in-2.numeezy.com,O=Numeezy
SARL,L=PARIS,ST=Ile-de-France,C=FR
; Issuer = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
Authority,O=StartCom Ltd.,C=IL
; Valid from 2016-05-17T12:39:52Z until 2019-05-17T12:39:52Z
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 1
8aee8995fca9c9cb89d0057f40b42cdcf23b1abc037681acd74af8c68b12a41e
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 0 1
c49354b6b553fed27d8b66aa42a7be4f18d8979e5c6260bd62d174051fb58b3a
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 1 2
7292aba36d879109a7ef70143ca3dc499c7774b693f4e6f9392ccb8b365b084cf583ee2533d4987582d8e8626c7f4d894826f3df0e686c07c201a5af08020b86
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 3 0 2
cd703c0fd747873a29d6467dc6e18fc7334a94918e59d9c6a9ba7320f1c8aea8473fe8d1edac9f3e2e7d6099eb17231832c5cc013500340be22c3830e91a21a2
;
; Depth: actual=1, wire=1
; Match = mail-in-2.numeezy.com
; Subject = CN=StartCom Class 3 OV Server CA,OU=StartCom Certification
Authority,O=StartCom Ltd.,C=IL
; Issuer = CN=StartCom Certification Authority,OU=Secure Digital
Certificate Signing,O=StartCom Ltd.,C=IL
; Valid from 2015-12-16T01:00:05Z until 2030-12-16T01:00:05Z
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 1
d765efb29fd40114afb1e830dbca8d1283e99086617ff18b07ad4ba58e7b0166
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 0 1
ea4e5d2b9c99560f13dd094b8121a623bfdd902038dfd6d772ce32ffabec094d
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 1 2
d26da4f0733b1f4af61f9db3c0e5bd6e379022e41038cb2cf7f38e273bdcaf98e0afd9b119e0fd85b090afec3d46020cbaee0158015666360ccc73418a0d3794
; _25._tcp.mail-in-2.numeezy.com. IN TLSA 2 0 2
6a4bd383b21927f44f09263819d2917edbd8a8ea58d97dac48c26a1e88e5c7062691366f79300705da4b68b5bf9153477241f7603faf4ac03d1cde69abaef328
You have three year certificates, that may well be "too long", in
3 years time you'll forget you have DANE TLSA records that need to
change when you change your private/public key pair. Also after
three years you'll probably want a new private key.
Carefully document the correct certificate rollover procedure and
required DNS updates in README files in the directories where the
certificates are kept and reference them in the main.cf file or
other configuration files that use those certificates.
--
Viktor.
