Validating an SMTP server

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Sep 7 18:02:45 CEST 2015


On Mon, Sep 07, 2015 at 02:09:35PM +0200, Hoggins! wrote:

> I'm trying to validate my DANE records against my SMTP server, but I'm
> facing something that I cannot understand, because I believe I'm lacking
> some details about the validation failure : I'm trying to validate
> smtp.hoggins.fr. It gives me an error on the validator
> (https://dane.sys4.de/smtp/smtp.hoggins.fr), but I don't know what I
> need to change about that.
> 
> Is there a way to be more verbose about the validation failure ? Maybe
> some client-side checking I can do manually ?

The MX host for a domain is required by DNS standards to not be a
CNAME alias.

    hoggins.fr. IN MX 1 smtp.hoggins.fr.
    smtp.hoggins.fr.	CNAME	mailer.hoggins.fr.
    mailer.hoggins.fr.	A	5.196.52.52

The validator tries to be more strict than some MTAs, because there
may be other MTAs for which CNAMEs in MX records are not valid.
Change your MX hostname to "mailer.hoggins.fr" or make "smtp" be an
"A" record with the same IP addresses as "mail", rather than an
alias.

Once you do that, the mail server's TLSA records are fine:

    smtp.hoggins.fr. IN CNAME mailer.hoggins.fr. ; NOERROR AD=1
    mailer.hoggins.fr. IN NOTMX 0 smtp.hoggins.fr. ; NOERROR AD=1
    _25._tcp.mailer.hoggins.fr. IN TLSA 3 1 2 05460499a59db40f0015caffef33eecb6e6121ee35afd87ee4daf88d3f9d0946a2af16db33ba3fb964d15b8a9018ec6b87e54a4aaa804cd31b20f62026d2314e ; passed

The alias may be exposing a minor bug in the web interface, which
may be querying for success with "smtp.hoggins.fr", but the ultimate
DANE verification is of "mailer.hoggins.fr".

Avoid aliases in email domain names and MX hosts.

-- 
	Viktor.


More information about the dane-users mailing list