On Sat, Nov 06, 2021 at 03:28:35AM +0100, Benny Pedersen wrote:
> <us...@lists.roundcube.net>: delivery via mx.kolabsys.com[212.103.80.150]:25:
> Server certificate not verified
Your mail logs have more details.
> how can i solve it ?
Their TLSA records have been broken since ~May 12th 2021:
https://stats.dnssec-tools.org/explore/?kolabsys.com
but they ignored the notification sent on the 13th. If you know a
responsive contact there, let them know to not neglect their systems:
* Operating an Internet-facing service, especially with higher than
default security settings, without monitoring is an oxymoron. If
they operate an email server, and especially if they publish TLSA
records, they need to monitor the correctness of its configuration.
* DANE is easy to operate correctly by implementing a certificate
and key rollover process that always deploys matching TLSA records
well in advance of the corresponding cert chain. They need to
take the time to do it right, or drop the TLSA records until some
future time when they can.
* Also, best to avoid wildcard certs that one is tempted to roll all
on the same day, creating a single point of failure.
* Also best to use "3 1 1" records with stable or in advance
generated keys. Pinnign the exact certificate is a bad idea.
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
For now, add their domain(s) to your TLS policy table with a security
level of "may".
--
Viktor.
kolabsys.com. IN MX 10 mx01.kolabsys.com.
kolabsys.com. IN MX 10 mx02.kolabsys.com.
kolabsys.com. IN MX 10 mx03.kolabsys.com.
kolabsystems.com. IN MX 10 mx01.kolabsys.com.
kolabsystems.com. IN MX 10 mx02.kolabsys.com.
kolabsystems.com. IN MX 10 mx03.kolabsys.com.
kolabsys.net. IN MX 10 mx01.kolabsys.com.
kolabsys.net. IN MX 10 mx02.kolabsys.com.
kolabenterprise.com. IN MX 10 mx01.kolabsys.com.
kolabenterprise.com. IN MX 10 mx02.kolabsys.com.
beyondgroupware.com. IN MX 10 mx01.kolabsys.com.
beyondgroupware.com. IN MX 10 mx02.kolabsys.com.
beyondgroupware.net. IN MX 10 mx01.kolabsys.com.
beyondgroupware.net. IN MX 10 mx02.kolabsys.com.
kolabsystems.net. IN MX 10 mx.kolabsys.com.
kolab-systems.com. IN MX 10 mx.kolabsys.com.
kolab-systems.net. IN MX 10 mx.kolabsys.com.
lists.roundcube.net. IN MX 10 mx.kolabsys.com
_25._tcp.mx.kolabsys.com. IN TLSA 3 0 1
69907f765ac23c5d36a3e1ca639077e74806b047ea2fa67e0ad43ce27e821c27
_25._tcp.mx.kolabsys.com. IN TLSA 3 0 1
b1a526159ed3e48f4ea0a9c6d348dbda2029e15b975d147b9fef0630da011f3f
mx.kolabsys.com[212.103.80.150]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[212.103.80.151]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
mx.kolabsys.com[212.103.80.152]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
_25._tcp.mx01.kolabsys.com. IN TLSA 3 0 1
69907f765ac23c5d36a3e1ca639077e74806b047ea2fa67e0ad43ce27e821c27
_25._tcp.mx01.kolabsys.com. IN TLSA 3 0 1
b1a526159ed3e48f4ea0a9c6d348dbda2029e15b975d147b9fef0630da011f3f
mx01.kolabsys.com[212.103.80.150]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
_25._tcp.mx02.kolabsys.com. IN TLSA 3 0 1
69907f765ac23c5d36a3e1ca639077e74806b047ea2fa67e0ad43ce27e821c27
_25._tcp.mx02.kolabsys.com. IN TLSA 3 0 1
b1a526159ed3e48f4ea0a9c6d348dbda2029e15b975d147b9fef0630da011f3f
mx02.kolabsys.com[212.103.80.151]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
_25._tcp.mx03.kolabsys.com. IN TLSA 3 0 1
69907f765ac23c5d36a3e1ca639077e74806b047ea2fa67e0ad43ce27e821c27
_25._tcp.mx03.kolabsys.com. IN TLSA 3 0 1
b1a526159ed3e48f4ea0a9c6d348dbda2029e15b975d147b9fef0630da011f3f
mx03.kolabsys.com[212.103.80.152]: tlsa-mismatch
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P256
name = *.kolabsys.com
name = kolabsys.com
depth = 0
Issuer CommonName = Sectigo RSA Domain Validation Secure Server CA
Issuer Organization = Sectigo Limited
notBefore = 2020-05-26T00:00:00Z
notAfter = 2022-05-27T23:59:59Z
Subject CommonName = *.kolabsys.com
cert sha256 [nomatch] <- 3 0 1
e573f62e9a1cbf10738ca93028b82fa0931b08da01c897396c71985d5b622ef0
pkey sha256 [nomatch] <- 3 1 1
cdbe7e629fee4b0ff61b2832e75c5f3bc870539fe93cd90a406254186f151814
depth = 1
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2018-11-02T00:00:00Z
notAfter = 2030-12-31T23:59:59Z
Subject CommonName = Sectigo RSA Domain Validation Secure Server CA
Subject Organization = Sectigo Limited
cert sha256 [nomatch] <- 2 0 1
7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
pkey sha256 [nomatch] <- 2 1 1
e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8
depth = 2
Issuer CommonName = USERTrust RSA Certification Authority
Issuer Organization = The USERTRUST Network
notBefore = 2010-02-01T00:00:00Z
notAfter = 2038-01-18T23:59:59Z
Subject CommonName = USERTrust RSA Certification Authority
Subject Organization = The USERTRUST Network
cert sha256 [nomatch] <- 2 0 1
e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
pkey sha256 [nomatch] <- 2 1 1
c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde
