DANE Auth Failing Since New Certs


#1

My domain is: delphi-real-estate.com

The operating system my web server runs on is (include version): CentOS 7.5

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I don’t understand why I can’t get good DANE auth since I’ve done my latest --reuse-key. It worked several months ago.

I go to https://www.huque.com/bin/gen_tlsa
Set 3, 1, 2, and paste in the public cert for that domain, port 25, proto tcp, domain mail.delphi-real-estate.com and Generate. I copy the hash and paste it in to my registrar’s TLSA tab with appropriate settings, and save.

Then I use huque’s Check service: https://www.huque.com/bin/danecheck
… and DANE Authentication Failed..

TLSA records found: 1
TLSA: 3 1 2 134daea46e17d086c5a5f066b6fa1ae60ab9e0765fb7afc749db27c38300962e2bded1320c38501526855a05b07a03870c76240d31de79dd3656461e14fa9720

Connecting to IPv4 address: 72.251.232.108 port 25
recv: 220 mail.quantum-equities.com ESMTP
send: EHLO cheetara.huque.com
recv: 250-mail.quantum-equities.com
recv: 250-PIPELINING
recv: 250-SIZE 104857600
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250-DSN
recv: 250 SMTPUTF8
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 DHE-RSA-AES256-SHA256
Peer Certificate chain:
0 Subject CN: mail.quantum-equities.com
Issuer CN: Let’s Encrypt Authority X3
1 Subject CN: Let’s Encrypt Authority X3
Issuer CN: DST Root CA X3
SAN dNSName: mail.quantum-equities.com
Error: peer authentication failed. rc=65 (No matching DANE TLSA records)

[2] Authentication failed for all (1) peers.

Somehow it’s coming up with mail.quantum-equities.com, which is another Postfix virtual domain.

DANE auth works just fine with httpd and virtual hosts.


#2

I guess that step either didn’t work or hasn’t propagated yet. I too can’t see a TLSA record for mail.quantum-equities.com.


#3

But see the destination URL is mail.delphi-real-estate.com

And mail.quantum-equities.com has a similarly-generated TLSA record.

I think the problem may be the mismatch but have no idea why this is happening. Didn’t last time I updated certs.


#4

dig delphi-real-estate.com mx gives me mail.quantum-equities.com; should this be mail.delphi-real-estate.com?

Also, Postfix doesn’t have SNI support, so it can’t choose which certificate to use depending on which hostname is being used. This means you may have to change around your Postfix & DNS configurations a bit!


#5

Yes it should be delphi-real-estate.com. I don’t understand why it’s doing this. It didn’t before this last cert change AFAIR.

DNS should be fine, I think it’s Postfix that’s messing up.


#6

Well something is just buggered. I go to https://www.huque.com/bin/gen_tlsa and set 3-1-2. I paste in my cert1.pem for mail.quantum-equities.com and generate the hash.

I set up the TLSA record at my registrar for 3-1-2 and paste in the hash that was generated, it checks out as a SHA2-512 hash and TLSA record is updated. I do this for ports 25, 587, and 993. And a day later I get the below using https://www.huque.com/bin/danecheck. Everything checks except the last critical step.

Domain Name: mail.quantum-equities.com

#################################################################

CHECKING MX HOST: mail.quantum-equities.com

#################################################################

TLSA records found: 1
TLSA: 3 1 2 5ffb5b23770d08a1e13e1030e62618779803aba5d8e371e863f03ec7635aac9110ef62e612e100a81870ef6840f3ab85e19fdfb0d66a704978e521c2fdd7cb89

Connecting to IPv4 address: 72.251.232.108 port 25
recv: 220-mail.quantum-equities.com ESMTP
recv: 220 mail.quantum-equities.com ESMTP
send: EHLO cheetara.huque.com
recv: 250-mail.quantum-equities.com
recv: 250-PIPELINING
recv: 250-SIZE 104857600
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250-DSN
recv: 250 SMTPUTF8
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 DHE-RSA-AES256-SHA256
Peer Certificate chain:
0 Subject CN: mail.quantum-equities.com
Issuer CN: Let’s Encrypt Authority X3
1 Subject CN: Let’s Encrypt Authority X3
Issuer CN: DST Root CA X3
SAN dNSName: mail.quantum-equities.com
Error: peer authentication failed. rc=65 (No matching DANE TLSA records)

[2] Authentication failed for all (1) peers.


#7

Ok I get it now. I was using the archive directory and cert1.pem; I didn’t notice that as of this cert renewal there is now a cert2.pem.

Also, for those using multiple domains with Postfix through virtual-mailbox-domains – Postfix does not support virtual domains, so you must use the cert from the first entry in virtual-mailbox-domains, and put in the TLSA records its hash and that first domain name in all other virtual domains.


#8

If you use the live directory instead, the links will be automatically updated for you to point at the newest version after each renewal.


#9

I haven’t developed enough confidence in the system yet to rely on that as it’s been a rough process over the past six months.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.