MTA-STS and DAME

Discussion in 'Installation/Configuration' started by Eliezer Ga, May 20, 2021.

Thread Status:
Not open for further replies.
  1. Eliezer Ga

    Eliezer Ga Member

    Hi All,
    We test our email using this site: https://www.checktls.com/TestReceiver and shows the result below:
    upload_2021-5-20_18-14-58.png
    I would like to ask How can I configure MTA-STS and DANE in our ispconfig server? Thank you for your help.
     
    Eliezer Ga, May 20, 2021
    #1
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Don't. Especially if you don't know much about it, it will be a pain in the ass when things are not working. Most servers are not using this either.

    The same goes for this, but if you really want to set it up, generate the DANE record based on your certificate and add it to your zone.

    (Note: I do use DANE for my hosting company, but no MTA-STS)
     
    Th0m, May 20, 2021
    #2
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    here's some instructions for implementing MTA-STS, would need to modify some steps to apply it within ispconfig, and would need to be done manually. it would need code changes to ispconfig to be able to apply it automatically, (eg by a checkbox/form in the ispconfig gui) and would need the dns/mail/website to all be controlled by ispconfig. if any one or more service is not managed by ispconfig then you're always going to have manual steps.

    https://www.digitalocean.com/commun...-for-your-domain-using-apache-on-ubuntu-18-04
     
    nhybgtvfr, May 20, 2021
    #3
  4. Eliezer Ga

    Eliezer Ga Member

    Hi Th0m,
    Could you please help me how to generate the DANE record on my certificate? Thank you :)
     
    Eliezer Ga, May 20, 2021
    #4
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    One quick search "DANE record generator" gives you tools like https://ssl-tools.net/tlsa-generator
     
    Th0m, May 20, 2021
    #5
  6. Eliezer Ga

    Eliezer Ga Member

    Hi Th0m,

    Thank you I will give it a shot and will let you know
     
    Eliezer Ga, May 20, 2021
    #6
  7. Eliezer Ga

    Eliezer Ga Member

    Hi Th0m,
    I follow your instructions and when I do a DANE checker it shows this:
    upload_2021-5-20_21-32-13.png

    Any thoughts?
     
    Eliezer Ga, May 20, 2021
    #7
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    A DANE record would be added for port 25, not 587. Please note again that without the necessary knowledge on this it is not wise to attempt setting this up - at least for a setup that's used in production.
     
    Th0m, May 20, 2021
    #8
  9. Eliezer Ga

    Eliezer Ga Member

    Hi Th0m,
    My apology for this. I have another inquiry. Where can I find the certificate for incoming mail server? Because when I do a SSL checker for outgoing it shows this:
    upload_2021-5-20_22-30-46.png

    but for the incoming mail server it shows this:
    upload_2021-5-20_22-32-40.png

    Thank you for your help
     

    Attached Files:

    Eliezer Ga, May 20, 2021
    #9
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Try restarting dovecot.
     
    Jesse Norell, May 20, 2021
    #10
  11. slagroom

    slagroom Member

    Yes, I realize this thread is old, but it's still applicable. I wanted to stress a few things from my experiences using TLSA/DANE.
    You really need to tell LetsEncrypt to re-use your private keys for new certificates generation, you do this in certbot using these two:
    --keep --reuse-key
    or be sure that
    reuse_key = True
    is in your [renewalparams]. Otherwise you have invalid TLSA records at every little change from LetsEncrypt, which is a PITA.

    Furthermore, you could try use https://github.com/tlsaware/danebot if you do DNS locally on your server.
    Or try use https://github.com/ekollof/gentlsa if you use CloudFlare for DNS. Problem with this last one is that it fails on python 3.10+.
    You can test really well using this mailhardener site, and they also offer openssl commands for generating proper TLSA: https://www.mailhardener.com/kb/how-to-create-a-dane-tlsa-record-with-openssl
     
    slagroom, Oct 14, 2023
    #11
Thread Status:
Not open for further replies.

Share This Page