From ebcf9c151e91ef9c73c01cc5211013d56ab3abcc Mon Sep 17 00:00:00 2001 From: Dennis Baaten Date: Fri, 15 Nov 2019 08:55:14 +0100 Subject: [PATCH] added tricks for troubleshooting DANE errors --- DANE-for-SMTP-how-to.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md index 1b71751..04cbb0f 100644 --- a/DANE-for-SMTP-how-to.md +++ b/DANE-for-SMTP-how-to.md @@ -206,6 +206,10 @@ This section describes several pionts for attention when implementing DANE for S * Using Server Name Indication (SNI) in an e-mail environment (for matching the certificate offered by a recieving e-mail server) is only usefull when DANE and DNSSEC are used. DNSSEC to perform a reliable MX lookup and DANE to verify the authenticity of the certificate. Sending e-mail servers (the TLS client) usually don't use SNI, because some receiving e-mail servers (the TLS server) cannot handle this; in some cases the setting up of a TLS connection fails. For more information see [RFC 7672 section 8.1](https://tools.ietf.org/html/rfc7672#section-8.1) and [this blogpost by Filippo Valsorda](https://blog.filippo.io/the-sad-state-of-smtp-encryption/). * Make sure you keep an eye on the logs of your sending mail server to see what domains fail DANE verification. * Some software allows for a test mode. This means that DANE verification is done and logged but there’s no consequence for delivery if DANE verification fails. +* Manually verify a mail server's certificate with the following command: `openssl s_client -starttls smtp -connect mail.example.nl:25 -dane_tlsa_domain "example.nl" -dane_tlsa_rrdata "3 1 1 29c8601cb562d00aa7190003b5c17e61a93dcbed3f61fd2f86bd35fbb461d084"`. +* Check if DANE TLSA records (_25._tcp.mail.example.nl) are properly DNSSEC signed. A regularly occuring mistake is the presence of "proof of non-existence" (NSEC3) for the ancestor domain (_tcp.mail.example.nl). If this happens then resolvers that use qname minimization (like the resolver used by [Internet.nl](https://internet.nl)) think that _25._tcp.mail.example.nl does not exists since _tcp.mail.example.nl does not exists. Therefore the resolver can't get the TLSA record which makes DANE fail. + * Check your DNSSEC implementation on [DNSViz](https://dnsviz.net/). Enter "_25._tcp.mail.example.nl". + * You can also manually check for this error. `dig _25._tcp.mail.example.nl tlsa +dnssec` results in a NOERROR response, while `dig _tcp.mail.example.nl tlsa +dnssec` results in a NXDOMAIN response. # Inbound e-mail traffic (publishing DANE DNS records) This part of the how-to describes the steps that should be taken with regard to your inbound e-mail traffic, which primairily involves publishing DANE DNS records. This enables other parties to use DANE for validating the certificates offered by your e-mail servers.