How to check certificates for mail SNI

For checking if a certificate is valid for a website, I normally use DigiCert or Comodo.

But these don't work for checking mail certificates.

Does anyone know if there are websites where it is possible to check mail certificates?

Try this one from certlogik.

Thanks for your reply Freddy!

Unfortunately that one does the same as all the other ones. It returns the certificate for the IP address (or so it seems).
It doesn't use SNI to request the actual certificate of the domain name I'm trying to verify.

For example, the host name of my server is mail.pjdn004.nl
On this server there are domains running like technova.nl or whalswick.nl which have mailservernames like mail.technova.nl and mail.whalswick.nl (and each has it's own certificates created with LetsEncrypt).

However if I enter mail.technova.nl on the CertLogik website, I get the warning that that name is not listed in the certificate. And the reason for that is that aparently CertLogik checks the certificate of mail.pjdn004.nl instead of mail.technova.nl.

So either CertLogik and all the others aren't able to check mail SNI certificates, or SNI isn't working, or I have a configuration problem on my server

Hello,

Test it here: https://ssl-tools.net/mailservers/ or with your domain name tested: https://ssl-tools.net/mailservers/technova.nl Put your domain name without mail. sub.

Thanks Alex, yes, that site does what I was looking for!

Seems I did setup mail_sni correctly, yaay!

However, I now have to research yet another acronym: "DANE"
Ah well, keeps me of the street I guess (can't even remember what a street looks like)

As for DANE (it's supported by Directadmin since version 1.514 )

- https://directadmin.com/features.php?id=1869
- https://forum.directadmin.com/showthread.php?t=51499&highlight=DANE

Trying to figure out how to enable it.... it will take a while.

FOR DANE, TLSA you need also DNSSEC sofar i know, if not working well DNSSEC the test for DANE will fail

Test explanation:

We check if the DANE fingerprints presented by your mail server domains are valid for your mail server certificates. DANE allows you to publish information about your mail server certificates in a special DNS record, called TLSA record. Sending mail servers can check the authenticity of your certificates not only through the certificate authority but also through the TLSA records. A sending mail server can also use the TLSA record as a signal to only connect via STARTTLS (and not unencrypted). When the DANE fingerprint of a receiving mail server is checked by the sending mail server, an active attacker who is able to manipulate the mail trafic cannot strip STARTTLS encryption. DNSSEC is preconditional for DANE. Note: cases where we detect a valid TLSA record but no DNSSEC support or where we get an error while retrieving the TLSA record, are also considered failures for this test.
Technical details:
Mail server (MX) DANE valid

Click to expand...

Thanks everyone for your input!

I've read a dozen or so pages about DANE by now and I'm getting what it is all about (more or less).

I also understand that it adds additional security in a different way than certificates do, and as such I understand the added value.

However, to me it feels a bit like overkill. Does it really add so much security that it is worth the effort? (just thinking out loud)
Anyone want to comment on that? Is it worth it? Does it really make it much safer, compared to just certificate based security?

Aspegic said:

Thanks everyone for your input!

I've read a dozen or so pages about DANE by now and I'm getting what it is all about (more or less).

I also understand that it adds additional security in a different way than certificates do, and as such I understand the added value.

However, to me it feels a bit like overkill. Does it really add so much security that it is worth the effort? (just thinking out loud)
Anyone want to comment on that? Is it worth it? Does it really make it much safer, compared to just certificate based security?

Click to expand...

Yea i write above only with DNSSEC it works .

And there is in my opinion the real problem, DNSSEC was already old before as at this time it is somewhat real world feature.

With risks for you business , and maybe not so much pro's against the risks, extra safe hmm.

some info first read this
https://www.techworld.com/security/...is-about-change-should-we-be-worried-3645538/

Read then this
https://nakedsecurity.sophos.com/2017/10/04/dnssec-master-key-change-delayed-after-isps-struggle/

Then also: https://nlnetlabs.nl/downloads/publications/dnssec/dnssecnl/secreg-report.pdf

1.1. What DNSSEC is not
A lot of people think DNSSEC will secure the Internet. That it will make an end to script kiddies and other nuisances currently found on the Net. This will not be the case. DNSSEC is designed to do one thing and that is to enable detection of spoofing attacks in the DNS. Other dreams about DNSSEC include use it as a PKI, a public key infrastructure. DNSSEC is not designed for this, and it therefore lacks core PKI operation

Click to expand...

so

Hopefully with DNSSEC an increased security awareness will come to the Internet

Click to expand...

some forcing to ... but who knows


https://www.theregister.co.uk/2015/...protocol_a_waste_of_everyones_time_and_money/

This is one of the major risks to come on this page
https://ianix.com/pub/dnssec-outages.html

Even for NASA.gov it seems to be to difficukt
https://ianix.com/pub/dnssec-outages/20171007-nasa.gov/





OFTOPIC:::

Lets hope for a better Secure Future, in my opinion also if real security and privacy is and should be so important everybody wanting, then if this is really really trough, this was a non issieu at all. ( knowledge and technics are there also possibilities for a long time). So yes less privacy, but with good rules and laws all checked by IT AI systems they obey and so on. ( No device without 100 % Reconignition, and no one before 100% Reconignized could connect to the SAFEWEB)
Yes if everybody/most want that it is possible.

2 WEBS 1 SAFE and 1 hmm "dark" it is all Politics, and yes everybody a chip under the skin, less crime, only the people with power as Agents and politics governments should be ruled out to have the power over this, it should be a AI on itself driven, so anonymous driven system, only yelling is really something scammy, crimminal persons, company's and so on are detected. ( no-one else should be affected in anyway, and privacy scam as Go.. Ub.. Fa.. TW... AMaZ.. should be ruled out then also)

BUT OK for some parts: country's , regimes there must stay a chance for freedom on the web, somehow i know that to.

You can only make things, and places safe if everybody really wants it. you teach your kids raise them well, school and universities has also the power to do that, starting so while the real future is again as always in the hands of the next generation.

No privacy att all could make the worl a better place, yes but only if the no privacy is engineered so that no-one has better or worse changes in live because of this, so everyone same chances and no one more. (lets say a polution in history some time back for that region, makes people a generation later ill, so health insurance for that people if detected is much higher or not possible, so if they know who lived there.... but if non inequality then such is ok.
Why name it but because of detecting and knowing such mostly cure and medicine is much quicker possible to heal if it is in BIG DATA, so should be a pro and good thing if not hat stupid threatehing inequality was there.

So please POLITICS, real Privacy is for a long time ago already gone, but make the best out of it and protect your people for the BIG data-driven inequality for the future