On Sat, Sep 03, 2022, Carl Byington via mailop wrote:
> A former client was trying to setup Fedora 36 sendmail with dane
> validation. F36 comes with sendmail 8.17.1 which is supposed to support
> dane, but they get verify=fail talking to my mail servers. So I googled
If would have been nice if y
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Sat, 2022-09-03 at 17:41 +, ml+mailop--- via mailop wrote:
> How did you notice that "something is now broken"?
A former client was trying to setup Fedora 36 sendmail with dane
validation. F36 comes with sendmail 8.17.1 which is supposed to s
How did you notice that "something is now broken"?
"works for me" - I just tried it with an MTA that supports DANE:
server=172.102.240.42,
starttls=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384, verify=DANE_SEC,
cert_subject=/CN=mail3.five-ten-sg.com,
cert_issuer=/C=US/O=Let's+20Encrypt/CN=R3,
pubkey_fp
Dňa 3. septembra 2022 9:17:41 UTC používateľ Simon Arlott via mailop
napísal:
>Looks like the latest version of this (https://github.com/shuque/gotls)
>returns the reason why it fails, which appears to be a bug in the tool
>caused by the expired DST X3 CA:
>
>Result: FAILED: DANE TLS error: cer
On 02/09/2022 16:16, Carl Byington via mailop wrote:
> Years ago I setup automation for tlsa records to support smtp dane here.
> However, something is now broken, and I am not sure what is wrong.
>
> _25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (
> 834d710b2feb790cc9b2c6d251c65b1fedc24c51a4149
It appears that Carl Byington via mailop said:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>On Fri, 2022-09-02 at 18:42 +, ml+mailop--- via mailop wrote:
>> Are you sure you want 3 0 1 and not 3 1 1?
>
>Yes. We are publishing the hash of the full certificate. Note there are
>two tlsa r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, 2022-09-02 at 18:42 +, ml+mailop--- via mailop wrote:
> Are you sure you want 3 0 1 and not 3 1 1?
Yes. We are publishing the hash of the full certificate. Note there are
two tlsa records, one corresponding to the previous LE certificate
> _25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (
> 834d710b2feb790cc9b2c6d251c65b1fedc24c51a4149bdfeae4d40e0be11892
Are you sure you want 3 0 1 and not 3 1 1?
Isn't the second number the selector:
0 -- Full certificate: the Certificate binary structure as defined in [RFC5280]
1 -- SubjectPubli
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Years ago I setup automation for tlsa records to support smtp dane here.
However, something is now broken, and I am not sure what is wrong.
_25._tcp.mail3.five-ten-sg.com. IN TLSA 3 0 1 (
834d710b2feb790cc9b2c6d251c65b1fedc24c51a4149bdfeae4d40e0be
