How to follow cipher sequence for mail?

[Richard G]

If you're using tlsa, there's a bug in the ../scripts/tlsa.sh at line 168 where it needs another dot (.) after the domainname to pass the internet.nl dane/tlsa check

I've read about that in a thread indeed. I didn't change it yet, because I also don't know if I have to compile other things again then like dovecot or something like that.
I will send the domain name via pm if it's no problem.

 

[sysdev]

I've read about that in a thread indeed. I didn't change it yet, because I also don't know if I have to compile other things again then like dovecot or something like that.
I will send the domain name via pm if it's no problem.

Sure, but you don't have to compile anything. It just adds a few records to your domain.com.db in named/bind. But because the dot is missing you get stuff like _25._tcp.mail.domain.com.domain.com

 

[ikkeben]

1.2 and 1.3.
You shouldn't use 1.0 and 1.1 anymore.

Ok thanks for info

Default DA with the 1.2 and 1.3 here centos 8 it is not ok in that test.

But no time to look into it deeper, i did replied some to help Richard and others with some info's as the links.

 

[Richard G]

stuff like _25._tcp.mail.domain.com.domain.com

I don't have any record looking like that in any way my domain.com.db file. No 25 and no TCP mentioned.
As for mail I only have:
mail 14400 IN A 95.xxx.xxx.xxx
domain.com. 14400 IN MX 10 mail
and ofcourse spf, dkim, dmarc and dnssec. But this domain already exists almost 13 years so might not be affected by that bug.

 

[sysdev]

I don't have any record looking like that in any way my domain.com.db file. No 25 and no TCP mentioned.
As for mail I only have:
mail 14400 IN A 95.xxx.xxx.xxx
domain.com. 14400 IN MX 10 mail
and ofcourse spf, dkim, dmarc and dnssec. But this domain already exists almost 13 years so might not be affected by that bug.

That's for DANE/TLSA. If you're not using that, you won't have any of those records.

 

[Richard G]

Ah oke, no I don't use DANE/TLSA yet, because that also causes manual work and I like to create those things automatically. I've looked into that the day before yesterday and seems custom script is still necessary. So I will wait with Dane until it's fully integrated in DA.
Thank you.

 

[sysdev]

Ah oke, no I don't use DANE/TLSA yet, because that also causes manual work and I like to create those things automatically. I've looked into that the day before yesterday and seems custom script is still necessary. So I will wait with Dane until it's fully integrated in DA.
Thank you.

True, and it's not really working well. It kinda works sometimes. Better wait for it to get integrated in DA indeed.