On Wed, Aug 12, 2020 at 04:36:11AM +0200, Benny Pedersen wrote:
> posttls-finger lists.roundcube.net
The default TLS security level for "posttls-finger" is "dane". The MX
records (RRset) of that domain are not DNSSEC signed, so the use of
DANE TLSA records cannot fully protect email transport for this domain.
The MX host has TLSA records:
_25._tcp.mx.kolabsys.com. IN TLSA 3 0 1
69907f765ac23c5d36a3e1ca639077e74806b047ea2fa67e0ad43ce27e821c27
_25._tcp.mx.kolabsys.com. IN TLSA 3 0 1
b1a526159ed3e48f4ea0a9c6d348dbda2029e15b975d147b9fef0630da011f3f
But the hosts's wildcard certificate[1] does not match these records,
breaking inbound email for:
beyondgroupware.com
beyondgroupware.net
kolab-systems.com
kolab-systems.net
kolabenterprise.com
kolabsys.com
kolabsys.net
kolabsystems.com
kolabsystems.net
and now also lists.roundcube.net.
--
Viktor.
[1] kolabsystems.net. IN MX 10 mx.kolabsys.com.
_25._tcp.mx.kolabsys.com. IN TLSA 3 0 1
69907f765ac23c5d36a3e1ca639077e74806b047ea2fa67e0ad43ce27e821c27
_25._tcp.mx.kolabsys.com. IN TLSA 3 0 1
b1a526159ed3e48f4ea0a9c6d348dbda2029e15b975d147b9fef0630da011f3f
mx.kolabsys.com[95.128.36.21]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[95.128.36.22]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[95.128.36.23]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[212.103.80.150]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[212.103.80.151]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[212.103.80.152]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
