Problems accepting e-mail with TLSA/DANE

E

enricovangoor

Verified User
Joined
Oct 30, 2020
Messages
18
Location
Netherlands
Hi All,

Currently I'm testing with TLSA/DANE on a DirectAdmin server. Below is my test setup.

DirectAdmin Server A
DomainA has been setup with DMARC (p=none), DKIM and SPF. No TLSA/DANE.

RelayServer
with LetsEncrypt Certificate

DirectAdmin Server B
DomainB has setup DMARC (p=quarantine), DKIM, SPF and TLSA/DANE. The domain is checked with the mail-check from internet.nl and checks out 100%, including DANE

When I send an E-mail from DomainA to DomainB, it is relayed via the RelayServer. The is firewalled, so only known servers (our own) can send e-mail via this RelayServer. The e-mail is accepted on the RelayServer, but it stays in the mailqueue. when I check the logs on the RelayServer I get the following:

2024-11-06 13:13:36 1t8eum-0006x8-TD <= info@DomainA H=DirectAdminServerA [IPv4 address] P=esmtps X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no S=1732 id=c254b10f71a617250d7614266783c157@DomainA
<snip>
2024-11-06 13:41:33 1t8eum-0006x8-TD DANE attempt failed; TLS connection to mx.ipv6.DomainB [ipv6 address of DAServerB]: (certificate verification failed): Verification failed. The certificate differs.
2024-11-06 13:41:33 1t8eum-0006x8-TD DANE attempt failed; TLS connection to mx.ipv4.DomainB [ipv4 address of DAServerB]: (certificate verification failed): Verification failed. The certificate differs.
2024-11-06 13:41:33 1t8eum-0006x8-TD == info@DomainB R=dnslookup T=remote_smtp defer (-37) H=mx.DomainB [IPv4 DAServerB]: TLS session: (certificate verification failed): Verification failed. The certificate differs.
Click to expand...

On DirectAdminServerB I get the following exim-log:
2024-11-06 15:19:41 TLS error (SSL_read): on connection from hostname_RelayServer [IPv6 RelayServer] error:0A000412:SSL routines::sslv3 alert bad certificate
2024-11-06 15:19:41 TLS error (SSL_read): on connection from hostname_RelayServer [IPv4 RelayServer] error:0A000412:SSL routines::sslv3 alert bad certificate
Click to expand...

When an email is sent from, lets say gmail, it is received with no problem by DomainB. The SSL certificates on both domains are LetsEncrypt (EC-384/SHA256). TLSA/DANE is setup with 3 1 1.

Does anyone know how to solve this?

Kind regards
Enrico van Goor
 
You must log in or register to reply here.
Back
Top