The operating system my web server runs on is (include version): CentOS 7.5
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
I don't understand why I can't get good DANE auth since I've done my latest --reuse-key. It worked several months ago.
I go to Generate DANE TLSA Record
Set 3, 1, 2, and paste in the public cert for that domain, port 25, proto tcp, domain mail.delphi-real-estate.com and Generate. I copy the hash and paste it in to my registrar's TLSA tab with appropriate settings, and save.
dig delphi-real-estate.com mx gives me mail.quantum-equities.com; should this be mail.delphi-real-estate.com?
Also, Postfix doesn’t have SNI support, so it can’t choose which certificate to use depending on which hostname is being used. This means you may have to change around your Postfix & DNS configurations a bit!
I set up the TLSA record at my registrar for 3-1-2 and paste in the hash that was generated, it checks out as a SHA2-512 hash and TLSA record is updated. I do this for ports 25, 587, and 993. And a day later I get the below using Check a DANE TLS Service. Everything checks except the last critical step.
Ok I get it now. I was using the archive directory and cert1.pem; I didn’t notice that as of this cert renewal there is now a cert2.pem.
Also, for those using multiple domains with Postfix through virtual-mailbox-domains – Postfix does not support virtual domains, so you must use the cert from the first entry in virtual-mailbox-domains, and put in the TLSA records its hash and that first domain name in all other virtual domains.