Apologies for jumping in, and it may not be relevant, but our experience has been that, unlike Google and others, Microsoft will DNSSEC fail an email if the sending server's hostname does not have its subdomain DNSSEC signed and keys provisioned in public DNS -- even when the envelope and sender From: match.
So like: - Sending domain = mycompany.com, From: envelope+header = john....@mycompany.com, Sending server = mta2.mydomain.com - DNSSEC key published for mydomain.com only = DNSSEC fail from Microsoft. - DNSSEC key published for mydomain.com and the subdomain mta2.mydomain.com = DNSSEC pass from Microsoft. Hope that helps, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- | From: "Kirill Miazine via mailop" <mailop@mailop.org> | To: "tobias" <tob...@fiebig.nl> | Cc: "mailop" <mailop@mailop.org> | Sent: Monday, June 10, 2024 7:24:54 AM | Subject: Re: [mailop] heads-up: Exchange Online: validation issues with Let's Encrypt DANE | • Tobias Fiebig via mailop [2024-06-10 14:09]: |> Moin, |> are you sure the RRset is not inadvertently bogus? Can slip by rather |> easily for a set of reasons; Old RRSIGs vor example after one of the |> entries got updated? | | no. LE TLSA RRs are generated automatically based on URL lists, so there | are neither dupes nor errors. zones are signed by ldns-signzone prior to | getting distributed to name servers for publishing. | |> If not; Out of personal curiosity; can you test where 'the boundary' is |> to trigger the error? should be doable with like 4 test domains max |> (bin-search starting at 7 RR in the set). | | _that_ was an interesting challenge indeed! the answer I got is 12: 12 | TLSA RRs are OK, but when there are 13 or 14, emails are stuck somewhere | and would later trigger error message later on. (for sake of | completeness, I went all way with domains from 6 to 14 TLSA RRs) | |> With best regards, |> Tobias |> |> On Mon, 2024-06-10 at 12:36 +0200, Kirill Miazine via mailop wrote: |> > Apparently exchange online would provide an error to the user like |> > this: |> > |> > dnssec-invalid: Destination domain returned invalid DNSSEC records |> > |> > https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/ndr/non-delivery-reports-in-exchange-online |> > |> > explains what this really means: |> > |> > The destination domain indicated it was DNSSEC-authentic, but |> > Exchange |> > Online wasn't able to verify it as DNSSEC-authentic. |> > |> > So the guess is that Exchange Online is getting in trouble when there |> > are more than a few TLSA records... |> > |> > • Kirill Miazine via mailop [2024-06-10 12:06]: |> > > Although there are better alternatives to 2 1 1 with Let's Encrypt, |> > > some |> > > still use 2 1 1, and it seems Exchange Online is not happy when |> > > there |> > > are 14 TLSA records (why 14? because |> > > https://letsencrypt.org/certificates/)... A good reason to not use |> > > 2 1 |> > > 1.... |> > > |> > > ; TLSA - LE certs published at |> > > https://letsencrypt.org/certificates/ |> > > -_le-tlsa TLSA 2 1 1 |> > > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; |> > > LE E1 |> > > - TLSA 2 1 1 |> > > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; |> > > LE E2 |> > > - TLSA 2 1 1 |> > > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; |> > > LE R3 |> > > - TLSA 2 1 1 |> > > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; |> > > LE R4 |> > > +_le-tlsa TLSA 2 1 1 |> > > 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 ; |> > > LE |> > > + TLSA 2 1 1 |> > > d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7 |> > > + TLSA 2 1 1 |> > > 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba |> > > + TLSA 2 1 1 |> > > 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 |> > > + TLSA 2 1 1 |> > > cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 |> > > + TLSA 2 1 1 |> > > 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5 |> > > + TLSA 2 1 1 |> > > f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2 |> > > + TLSA 2 1 1 |> > > 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 |> > > + TLSA 2 1 1 |> > > 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d |> > > + TLSA 2 1 1 |> > > f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 |> > > + TLSA 2 1 1 |> > > 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d |> > > + TLSA 2 1 1 |> > > 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 |> > > + TLSA 2 1 1 |> > > e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 |> > > + TLSA 2 1 1 |> > > bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 |> > > _______________________________________________ |> > > mailop mailing list |> > > mailop@mailop.org |> > > https://list.mailop.org/listinfo/mailop |> > _______________________________________________ |> > mailop mailing list |> > mailop@mailop.org |> > https://list.mailop.org/listinfo/mailop |> |> -- |> Dr.-Ing. Tobias Fiebig |> T +31 616 80 98 99 |> M tob...@fiebig.nl |> |> _______________________________________________ |> mailop mailing list |> mailop@mailop.org |> https://list.mailop.org/listinfo/mailop | | -- | -- Kirill Miazine <k...@krot.org> | _______________________________________________ | mailop mailing list | mailop@mailop.org | https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
