TLSA Validation Failed

Mark Elkins mje at
Tue Jul 28 16:47:45 CEST 2015

(Please correct me if I am wrong - Still Learning myself!)

On Tue, 2015-07-28 at 15:34 +0200, Bjørn Mork wrote:
> Mark Elkins <mje at> writes:
> > For email - you need a TLSA 311 Certificate.
> Care to explain why?  I am sure I'm missing something here, but this
> isn't obvious to me.

The topic was DANE and generating valid TLSA records from a Web
certificate for Web purposes. The same Web Certificate can be used for
creating an appropriate TLSA certificate for Mail. In the case of MTA to
MTA (Mail Transport Agent, eg for use by exim or Postfix) - the TLSA
certificate could look like... IN TLSA 3 1 1
588c9c64a52c1a0d4cb1e82d67d746504241480c55b1edd24b6fc7cd 4f836997

ie - the bit you stick in a zone file....

> And does "email" mean SMTP or POP/IMAP or all of them?

Just MTA to MTA

> Until now I've just used the same private self-signed CA certificate for
> all services,

In my experience, most web browsers complain about self-signed
certificates, until an exception is made of that Certificate. Microsoft
Explorer is particularly rude and strongly suggests a user not to trust
it ( = Customers go elsewhere). I think therefore to make going to a
secure website as palatable as possible, get the Certificate signed by a
reputable CA.
If you have such a certificate - it can be used also for e-mail, for MTU
to MTU (Secure-SMTP), for Submission (Authenticated+Secured SMTP) and
for IMAP/POP3 (eg courier-imap stuff).

>  and just created aliases to a common TLSA 2 0 1 record.
> This appeared to work fine, but then again: I don't know how I would
> detect a failure...  There aren't that many validating email clients out
> there.

I think Viktor Dukhovni <ietf-dane at> possible has a test

> How do you test and validate TLSA records for SMTP, POP and IMAP?

If by SMTP, you mean a client sending outbound mail via their ISP using
Submission - I wasn't aware that TLSA records played a role in this
area. I'm also not aware that they play a role in the IMAP/POP3 area

I personally use IMAP on port 993 (SSL/TLS) and Submission on 587
(STARTSSL after Connection) - and have done a long time before playing
with DANE and TLSA records.

TLSA Records for MTU to MTU makes sense - you don't know if the
recipient MTA uses TLS, the TLSA in the (DNSSEC Secured) DNS can confirm
this if it exists.

On the other hand, the relationship between Client and ISP by definition
probably has to be known about. (I run a smallish ISP - I have clients,
many of them have their mail clients configured like this.)

> Bjørn

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <>

More information about the dane-users mailing list