TLSA Validation Failed
ietf-dane at dukhovni.org
Tue Jul 28 16:52:08 CEST 2015
On Tue, Jul 28, 2015 at 03:34:23PM +0200, Bj?rn Mork wrote:
> Mark Elkins <mje at posix.co.za> writes:
> > For email - you need a TLSA 311 Certificate.
> Care to explain why? I am sure I'm missing something here, but this
> isn't obvious to me.
> And does "email" mean SMTP or POP/IMAP or all of them?
Sorry, just MTA-to-MTA SMTP:
> Until now I've just used the same private self-signed CA certificate for
> all services, and just created aliases to a common TLSA 2 0 1 record.
That's also fine, if the CA in question is the issuer of the
individual server certificates. The constraint for MTA-to-MTA SMTP
is that you SHOULD NOT publish TLSA records with certificate usages
PKIX-TA(0) or PKIX-EE(1). A "3 X Y" is the right alternative for
"1 X Y" and "2 N M" is the right alternative for "0 N M".
> This appeared to work fine, but then again: I don't know how I would
> detect a failure... There aren't that many validating email clients out
> How do you test and validate TLSA records for SMTP, POP and IMAP?
Just for SMTP MTAs (port 25):
More information about the dane-users