On Sat, Sep 03, 2022, Carl Byington via mailop wrote:
> A former client was trying to setup Fedora 36 sendmail with dane
> validation. F36 comes with sendmail 8.17.1 which is supposed to support
> dane, but they get verify=fail talking to my mail servers. So I googled
If would have been nice if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sat, 2022-09-03 at 17:41 +, ml+mailop--- via mailop wrote:
> How did you notice that "something is now broken"?
A former client was trying to setup Fedora 36 sendmail with dane
validation. F36 comes with sendmail 8.17.1 which is supposed to
How did you notice that "something is now broken"?
"works for me" - I just tried it with an MTA that supports DANE:
server=172.102.240.42,
starttls=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, verify=DANE_SEC,
cert_subject=/CN=mail3.five-ten-sg.com,
cert_issuer=/C=US/O=Let's+20Encrypt/CN=R3,
Dňa 3. septembra 2022 9:17:41 UTC používateľ Simon Arlott via mailop
napísal:
>Looks like the latest version of this (https://github.com/shuque/gotls)
>returns the reason why it fails, which appears to be a bug in the tool
>caused by the expired DST X3 CA:
>
>Result: FAILED: DANE TLS error:
On 02/09/2022 16:16, Carl Byington via mailop wrote:
> Years ago I setup automation for tlsa records to support smtp dane here.
> However, something is now broken, and I am not sure what is wrong.
>
> _25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (
>
It appears that Carl Byington via mailop said:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>On Fri, 2022-09-02 at 18:42 +, ml+mailop--- via mailop wrote:
>> Are you sure you want 3 0 1 and not 3 1 1?
>
>Yes. We are publishing the hash of the full certificate. Note there are
>two tlsa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, 2022-09-02 at 18:42 +, ml+mailop--- via mailop wrote:
> Are you sure you want 3 0 1 and not 3 1 1?
Yes. We are publishing the hash of the full certificate. Note there are
two tlsa records, one corresponding to the previous LE
> _25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (
> 834d710b2feb790cc9b2c6d251c65b1fedc24c51a4149bdfeae4d40e0be11892
Are you sure you want 3 0 1 and not 3 1 1?
Isn't the second number the selector:
0 -- Full certificate: the Certificate binary structure as defined in [RFC5280]
1 --
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Years ago I setup automation for tlsa records to support smtp dane here.
However, something is now broken, and I am not sure what is wrong.
_25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (