Issue Getting DANE working

[Polli]

Server operating system version

Debian 12.8

Plesk version and microupdate number

18.0.66#1

Hi

I am having difficulties using DANE on my Plesk server. For example, I see the following entrys in my logs when sending mails:

Untrusted TLS connection established to gmail-smtp-in.l.google.com[172.253.63.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256

or

Untrusted TLS connection established to do.havedane.net[37.97.132.208]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

Apparently the connection is encrypted with TLS 1.3 but it looks like DANE is not used. It should actually say TRUSTED i think. How can I configure Postfix so that DANE is used when possible, or actually always. All my domains supports DANE and are configured correctly. However, I cannot force DANE in Postfix, because then no more mails can be delivered. What is the problem?

I have installed Plesk Email Security.

My main.cf file:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.startdedicated.net, localhost, localhost.localdomain
relayhost =
mynetworks =
mailbox_size_limit = 0
recipient_delimiter =
inet_interfaces = all
default_transport = smtp
relay_transport = relay
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
#smtpd_timeout = 3600s
#smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists,permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
authorized_flush_users =
authorized_mailq_users =
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = ,inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 102400000
virtual_mailbox_limit = 0
tls_preempt_cipherlist = no
tls_medium_cipherlist = TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = TLSv1.2 TLSv1.3
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_ciphers = medium
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
smtputf8_enable = no
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
smtpd_timeout = 3600s
non_smtpd_milters = ,inet:127.0.0.1:12768
content_filter = smtp-amavis:[127.0.0.1]:10024

Is my cipher list ok? Should I change something there?

What are the default settings of the main.cf file in Plesk? Does plesk regularly recreate the file.

If you need more information, please let me know.

Thanks for your help

 

[AYamshanov]

Interesting. I checked the file on my Ubuntu server with Plesk and found the option smtp_tls_CApath (Postfix Configuration Parameters) that I did not find in your config file.

If the server certificate chain is trusted (see smtp_tls_CAfile and smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate extension are used to verify the remote SMTP server name. If no DNS names are specified, the certificate CommonName is checked. If you want mandatory encryption without server certificate verification, see above.

(c) https://www.postfix.org/TLS_README.html

With the `plesk repair mail` command, you can check and fix mail-related issues, see Plesk Repair Utility: Mail for more details. For example, you can create a copy of your current configuration (manually) and restore the mail server configuration (with the tool), then compare these files.

P.S. If you want to customize Postfix configuration files, please vote for the next request, Allow customization of /etc/postfix/main.cf

 

[Polli]

Interesting. I checked the file on my Ubuntu server with Plesk and found the option smtp_tls_CApath (Postfix Configuration Parameters) that I did not find in your config file.


(c) https://www.postfix.org/TLS_README.html

With the `plesk repair mail` command, you can check and fix mail-related issues, see Plesk Repair Utility: Mail for more details. For example, you can create a copy of your current configuration (manually) and restore the mail server configuration (with the tool), then compare these files.

P.S. If you want to customize Postfix configuration files, please vote for the next request, Allow customization of /etc/postfix/main.cf

Thanks for your tip.

The check with the diagnostic tool did not detect any errors. I do this test regularly. A repair did not fix it. The entry is still missing. I have also deleted the main.cf file and had Plesk recreate it, which leads to the same result. smtp_tls_CApath and smtp_tls_CAfile are not inserted. What should the entrys look like to test whether this is the problem? The normal path, as specified by Postfix, does not work here.

I uninstalled Plesk email security and did repair again. Same result: no CA Entrys made.

My main.cf after repair is now:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.startdedicated.net, localhost, localhost.localdomain
relayhost =
mynetworks =
mailbox_size_limit = 0
recipient_delimiter =
inet_interfaces = all
default_transport = smtp
relay_transport = relay
inet_protocols = ipv4
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
#smtpd_timeout = 3600s
#smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists,permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
authorized_flush_users =
authorized_mailq_users =
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = ,inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 102400000
virtual_mailbox_limit = 0
tls_preempt_cipherlist = no
tls_medium_cipherlist = TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = TLSv1.2 TLSv1.3
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_ciphers = medium
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
smtputf8_enable = no
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
smtpd_timeout = 3600s
non_smtpd_milters = ,inet:127.0.0.1:12768

I do not know why Plesk does not add this entrys. Is it because of my server configuration? Do I need this entrys at all? And if so, what should it look like?
I´m confused now.

 

[Polli]

Here is my master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
cleanup   unix  n       -       y       -       0       cleanup
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix    -    n    n    -    2    pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames -q ${queue_id}
127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-srs
pickup fifo n - y 60 1 pickup
qmgr fifo n - n 1 1 qmgr

smtps      inet  n       -       y       -       -       smtpd
    -o smtpd_tls_wrappermode=yes


submission inet  n       -       y       -       -       smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination













plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db

plesk-62.138.14.246- unix - - n - - smtp -o smtp_bind_address=62.138.14.246 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o inet_protocols=ipv4

 

[Polli]

Ok. I did some research and finaly got it working.

I found the CA path and did a:

openssl verify /usr/lib/ssl/cert.pem

Then I added following lines to my main.cf file

smtpd_tls_CAfile = /usr/lib/ssl/cert.pem
smtp_tls_CAfile = /usr/lib/ssl/cert.pem

Now my Log shows:

Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.71.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256

or

Trusted TLS connection established to eur.olc.protection.outlook.com[52.101.68.13]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (2048 bits) server-digest SHA256

Its working now, but I dont know why plesk did not set these entrys itself?

Thanks for your hints and help.

 

[learning_curve]

@Polli You appear to have solved your mail issue now, but FWIW:

Can't comment on the DANE tools that are provided within Plesk or DNS that's configured & managed from within Plesk, as we do both, externally. You don't appear to, but - IF - you do the same, i.e. You also do both externally, so you do have root access to both your server and your server hoster's api's for DNS and/or a suitable alternative to api's, then you can add all of your TLSA records (to apply DANE) directly, yourself. This can / should include your mail service(s) obviously, which is what post #1 relates too, as well as domains themselves. We use Plesk for mail and mail services (Postfix / Roundcude etc) and have zero issues with DANE being configured externally this way and interacting with Plesk in all areas.

We've done all this on all of our hosted domains and once configured, it works perfectly on both domains / mail etc etc Once configured, you can verify DANE on many sites as you are no dout aware, but THIS one is quick for SMTP (ref your post #1) whilst THIS one is for freedom of choice on what / where you're actually testing DANE and is very comprehensive.

Maybe you can think about adding MTA-STS to any domains that you provide a mail service from? (edit: ref: MTA-STS - Mailhardener knowledge base )
It's easier to do this before you set off on your DANE implementation job (as we did) but it can still be done (within Plesk) afterwards.

@AYamshanov We have always had the smtp_tls_CApath entry in Postfix main.cf so that was never an issue (in our case) with the above method.

 

[Polli]

@Polli You appear to have solved your mail issue now, but FWIW:

Can't comment on the DANE tools that are provided within Plesk or DNS that's configured & managed from within Plesk, as we do both, externally. You don't appear to, but - IF - you do the same, i.e. You also do both externally, so you do have root access to both your server and your server hoster's api's for DNS and/or a suitable alternative to api's, then you can add all of your TLSA records (to apply DANE) directly, yourself. This can / should include your mail service(s) obviously, which is what post #1 relates too, as well as domains themselves. We use Plesk for mail and mail services (Postfix / Roundcude etc) and have zero issues with DANE being configured externally this way and interacting with Plesk in all areas.

We've done all this on all of our hosted domains and once configured, it works perfectly on both domains / mail etc etc Once configured, you can verify DANE on many sites as you are no dout aware, but THIS one is quick for SMTP (ref your post #1) whilst THIS one is for freedom of choice on what / where you're actually testing DANE and is very comprehensive.

Maybe you can think about adding MTA-STS to any domains that you provide a mail service from? (edit: ref: MTA-STS - Mailhardener knowledge base )
It's easier to do this before you set off on your DANE implementation job (as we did) but it can still be done (within Plesk) afterwards.

@AYamshanov We have always had the smtp_tls_CApath entry in Postfix main.cf so that was never an issue (in our case) with the above method.

@learning_curve I did all the testing you mentioned above. And all tests are successfully passed. I used these tests before to get my DANE settings right. MTA-STS is allready implemented on my sites and working.

Plesk is my primary DNS and SSLit! do all the neccessary entrys to my zones automatically while renewing the letsencrypt certificate every few months.

My dedicated server is my web-, mail- and dns-server. Plesk implemented DANE very well for my opinion. But the CAfiles entry in main.cf was not made by Plesk for whatever reason. This has nothing to do with DANE I think. Maybe some of the devs can say something about this issue.

See attached the results from Hardenize: Comprehensive web site configuration test and DANE SMTP Validator

Thanks to all your help

 

[AYamshanov]

Its working now, but I dont know why plesk did not set these entrys itself?

I have tried to reproduce the issue on a fresh server but have failed (the option exists; see the default value; it is slightly different from what you use now).

[...]
Components and product check results:
Installation is finished
[...]

# plesk version
Product version: Plesk Obsidian 18.0.66.1
     OS version: Debian 12.8 x86_64
     Build date: 2024/12/18 14:00
       Revision: 324ab85b11f5f3ecd46fa49d0fbf77c9df62c277

# grep _tls_CA /etc/postfix/main.cf
smtp_tls_CApath=/etc/ssl/certs

#

If you find steps to reproduce the issue, let us know, and I will report the steps to the dev.team.

 

[Polli]

I have tried to reproduce the issue on a fresh server but have failed (the option exists; see the default value; it is slightly different from what you use now).

[...]
Components and product check results:
Installation is finished
[...]

# plesk version
Product version: Plesk Obsidian 18.0.66.1
     OS version: Debian 12.8 x86_64
     Build date: 2024/12/18 14:00
       Revision: 324ab85b11f5f3ecd46fa49d0fbf77c9df62c277

# grep _tls_CA /etc/postfix/main.cf
smtp_tls_CApath=/etc/ssl/certs

#

If you find steps to reproduce the issue, let us know, and I will report the steps to the dev.team.

@AYamshanov I now have Trusted TLS Connections, but DANE is apparently still not being used. I have added the entry smtp_tls_CApath=/etc/ssl/certs. I can add either CApath or CAfiles, or both to get “Trusted TLS Connection”. If both entries are missing, the log changes to “Untrusted TLS Connection”.
Unfortunately, there is still no complete DANE transmission, as dnssec_probe probably fails. A dig +dnssec shows the “ad” flag. But DANE is apparently still not being used.

My Log shows:

warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: DNSSEC validation may be unavailable

I don't know how Plesk configures my Postfix so that DANE works with it. Apparently the main.cf file is not changed except when I install or uninstall Plesk Email Security. Then the last line is changed, nothing else. With plesk repair mail nothing changes.
Could it be related to a recent upgrade of my Plesk license? I had the Web Admin Edition until recently and have now got the Web Pro Edition.

How can I persuade Plesk to use the default configuration? Then I could start troubleshooting from there. There seems to be a lot going on here. Bind, Postfix, etc...
All test tools show me a correct configuration. Except for havedane.net. Here I can also send to an invalid DANE domain, which should not be the case. In the log it says for all mails send to havedane.net: “Untrusted TLS Connection”.

I have already found out almost everything myself. But I'm slowly losing my way.

Thanks for your help

 

[Polli]

I´ve done a DANE test at Mailserver überprüfen (STARTTLS und TLS Check) · SSL-Tools

Everything seems to be fine.

 

[Polli]

Sorry for posting again.

DANE is still not used by postfix for sending mail. The log tells me "Trusted TLS Connection" but for a succesfull DANE transmission it has to be "Verified TLS Connection". But I dont get this working.

I´ve looked in my oldest config-backup from 2020. There is no CAfiles or CApath entry. So it must be an Plesk issue long time ago. Nothing gets changed in main.cf when I edit mail settings in Plesk. Strange. I´ve done a full repair of Plesk with all options. But nothing changed. The main.cf is just generated as it was before on repair, or when it gets edited by the Plesk UI.

Every Testsite tells me that DANE is setup correctly. But it will not work.

There is an issue with verifing the certificate. I´ve done some testing. I´ve tested some ports 443, 465, 587, 25, 110, 993 and 995

~# echo | openssl s_client -showcerts -connect mail.leagues-united.de:443

CONNECTED(00000003)

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R10

verify return:1

depth=0 CN = mail.leagues-united.de

verify return:1

---

Certificate chain

 0 s:CN = mail.leagues-united.de

   i:C = US, O = Let's Encrypt, CN = R10

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Jan  2 19:46:55 2025 GMT; NotAfter: Apr  2 19:46:54 2025 GMT

-----BEGIN CERTIFICATE-----

MIIE/jCCA+agAwIBAg.....IFLMbHA==

-----END CERTIFICATE-----

 1 s:C = US, O = Let's Encrypt, CN = R10

   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

-----BEGIN CERTIFICATE-----

MIIFBTCCAu.....LKz7OA54=

-----END CERTIFICATE-----

---

Server certificate

subject=CN = mail.leagues-united.de

issuer=C = US, O = Let's Encrypt, CN = R10

---

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3136 bytes and written 408 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: 8B27E9882A5BAAC929641AF60B286371D7ACED6F12B9D5F244523349E0210232

    Session-ID-ctx:

    Resumption PSK: D0A74DF17B5D8EB4EA374BE4B6A0080A867C0C8E6A0D918094473D49157694679F9BEF575FFC6224B64330267A19E9EF

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - df 78 31 65 ee 24 91 53-ee f8 2f cc ca 4a f2 3b   .x1e.$.S../..J.;

    .....

    00f0 - 5a 51 46 6b 0b 9b 5d 64-db 9d 85 63 6e c7 27 a1   ZQFk..]d...cn.'.



    Start Time: 1735936431

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: FB2C50687E2EED22C35A199C5ED5E4D5C553071AC0407A1275C78B1AD57204E4

    Session-ID-ctx:

    Resumption PSK: F330682FA0BE8FBA41A475891FDDC392C021FF22779EA825028A520D99EBA1EEE693135D94F0CD3E31FE4EE01148CC1C

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - df 78 31 65 ee 24 91 53-ee f8 2f cc ca 4a f2 3b   .x1e.$.S../..J.;

    ....

    00e0 - b2 eb 9e 61 4e e9 34 d8-8b 59 6c 7a b5 f4 e5 5a   ...aN.4..Ylz...Z



    Start Time: 1735936431

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

DONE

# echo | openssl s_client -showcerts -connect mail.leagues-united.de:465

CONNECTED(00000003)

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R11

verify return:1

depth=0 CN = leagues-united.de

verify return:1

---

Certificate chain

 0 s:CN = leagues-united.de

   i:C = US, O = Let's Encrypt, CN = R11

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Dec 26 22:56:53 2024 GMT; NotAfter: Mar 26 22:56:52 2025 GMT

-----BEGIN CERTIFICATE-----

MIIFBzCCA++gA.....aCSgjEzLQ==

-----END CERTIFICATE-----

 1 s:C = US, O = Let's Encrypt, CN = R11

   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

-----BEGIN CERTIFICATE-----

MIIFBjCCAu6.....XOMEZSa8DA

-----END CERTIFICATE-----

---

Server certificate

subject=CN = leagues-united.de

issuer=C = US, O = Let's Encrypt, CN = R11

---

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3146 bytes and written 408 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

DONE

:~# echo | openssl s_client -showcerts -connect mail.leagues-united.de:587

CONNECTED(00000003)

40C7D8C2E37F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 328 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

It seems that there is no certificate for STARTTLS (587) and also for Port 110

~# echo | openssl s_client -showcerts -connect mail.leagues-united.de:993

CONNECTED(00000003)

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R11

verify return:1

depth=0 CN = leagues-united.de

verify return:1

---

Certificate chain

 0 s:CN = leagues-united.de

   i:C = US, O = Let's Encrypt, CN = R11

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Dec 26 22:56:53 2024 GMT; NotAfter: Mar 26 22:56:52 2025 GMT

-----BEGIN CERTIFICATE-----

MIIFBzCCA++gAwIBAg.....VwY5aCSgjEzLQ==

-----END CERTIFICATE-----

 1 s:C = US, O = Let's Encrypt, CN = R11

   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

-----BEGIN CERTIFICATE-----

MIIFBjCCAu6gA.....0XOMEZSa8DA

-----END CERTIFICATE-----

---

Server certificate

subject=CN = leagues-united.de

issuer=C = US, O = Let's Encrypt, CN = R11

---

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3146 bytes and written 408 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: D7EF6AA8D4...383CED13CB050BEC

    Session-ID-ctx:

    Resumption PSK: 33D262830953B55EC...98F37255837362A91D91809067E50F0

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - fd 9f 91 41 34 07 9e 8e-9a ac d1 cf 67 ae 14 68   ...A4.......g..h

    ......

    00d0 - de 3a d3 aa dc 78 04 1b-a7 81 ef e3 a0 6b 52 02   .:...x.......kR.



    Start Time: 1735936959

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: 9F7973EDEF87E...0366584DD3

    Session-ID-ctx:

    Resumption PSK: 14ADB664826D26006...923E102D181B4561EF0C

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - fd 9f 91 41 34 07 9e 8e-9a ac d1 cf 67 ae 14 68   ...A4.......g..h

    ......

    00d0 - 01 13 b1 8d fe 8a 40 b5-8d 3f 8a 1c 13 5f d0 bb   ......@..?..._..



    Start Time: 1735936959

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.

DONE

 

[Polli]

2/2

~# echo | openssl s_client -showcerts -connect mail.leagues-united.de:995

CONNECTED(00000003)

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R11

verify return:1

depth=0 CN = leagues-united.de

verify return:1

---

Certificate chain

 0 s:CN = leagues-united.de

   i:C = US, O = Let's Encrypt, CN = R11

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Dec 26 22:56:53 2024 GMT; NotAfter: Mar 26 22:56:52 2025 GMT

-----BEGIN CERTIFICATE-----

MIIFBzCCA++g.....gjEzLQ==

-----END CERTIFICATE-----

 1 s:C = US, O = Let's Encrypt, CN = R11

   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

-----BEGIN CERTIFICATE-----

MIIFBjC.....ZSa8DA

-----END CERTIFICATE-----

---

Server certificate

subject=CN = leagues-united.de

issuer=C = US, O = Let's Encrypt, CN = R11

---

No client certificate CA names sent

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3146 bytes and written 408 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: E4A4F5C27FFB9FD70AE2F7C527B1EB0A2661D4931F2CB78D2F3B2D8AD35A9FC4

    Session-ID-ctx:

    Resumption PSK: FBC14B2FA49E5FE572DB4BFA18A5030D1EF8F9536D2291700D53CFA6F23DCB1235F7F7C26697C16CA58DEB819FE622F7

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - ae 54 71 35 45 4d 09 14-41 94 60 08 6c 34 85 c7   .Tq5EM..A.`.l4..

    .....

    00d0 - b6 a1 68 b1 b8 ea f0 4a-e3 83 29 36 07 af 79 c7   ..h....J..)6..y.



    Start Time: 1735937107

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

---

Post-Handshake New Session Ticket arrived:

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : TLS_AES_256_GCM_SHA384

    Session-ID: 01D7999E47B525543EB4008E8906327F7CD0C7138EFB633A8495F4B3265CCDA7

    Session-ID-ctx:

    Resumption PSK: AB9E27EDF85D62D9243C05419E0560BFFCDDEEE7F577E31EECF97B8004BA450687A13867AF8C99EC562328A0EB57A92D

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - ae 54 71 35 45 4d 09 14-41 94 60 08 6c 34 85 c7   .Tq5EM..A.`.l4..

    ......

    00d0 - ea ad 34 8a 11 fa 0e b1-da 87 3d be f4 87 e5 b1   ..4.......=.....



    Start Time: 1735937107

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

    Max Early Data: 0

---

read R BLOCK

+OK Dovecot ready. <2f4662.a.67784c53.s7bl81XHeMZsSY1VRlr2JQ==@mail.leagues-united.de>

DONE

It seems that only Ports 443, 465, 993 and 995 has a verified certificate assigned. Ports 587 and 110 has no verified certificates or none.

Also Port 143 for IMAP and 443 for Web is not inserted by SSLit! into my DNS Zones

With the "posttls-finger" the certificate is untrusted.

:~# posttls-finger mail.leagues-united.de

posttls-finger: Connected to mail.leagues-united.de[62.138.14.246]:25

posttls-finger: < 220 mail.leagues-united.de ESMTP Postfix (Debian/GNU)

posttls-finger: > EHLO mail.leagues-united.de

posttls-finger: < 250-mail.leagues-united.de

posttls-finger: < 250-PIPELINING

posttls-finger: < 250-SIZE 102400000

posttls-finger: < 250-ETRN

posttls-finger: < 250-STARTTLS

posttls-finger: < 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

posttls-finger: < 250-ENHANCEDSTATUSCODES

posttls-finger: < 250-8BITMIME

posttls-finger: < 250-DSN

posttls-finger: < 250 CHUNKING

posttls-finger: > STARTTLS

posttls-finger: < 220 2.0.0 Ready to start TLS

posttls-finger: certificate verification failed for mail.leagues-united.de[62.138.14.246]:25: untrusted issuer /C=US/O=Internet Security Research Group/CN=ISRG Root X1

posttls-finger: mail.leagues-united.de[62.138.14.246]:25: subject_CN=mail.leagues-united.de, issuer_CN=R10, fingerprint=35:78:EF:EA:73:60:05:EC:D3:F9:D6:E6:3E:E4:D2:F3, pkey_fingerprint=09:B2:25:87:FE:D4:67:9B:A5:F2:38:67:99:C9:17:11

posttls-finger: Untrusted TLS connection established to mail.leagues-united.de[62.138.14.246]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

posttls-finger: > EHLO mail.leagues-united.de

posttls-finger: < 250-mail.leagues-united.de

posttls-finger: < 250-PIPELINING

posttls-finger: < 250-SIZE 102400000

posttls-finger: < 250-ETRN

posttls-finger: < 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN

posttls-finger: < 250-ENHANCEDSTATUSCODES

posttls-finger: < 250-8BITMIME

posttls-finger: < 250-DSN

posttls-finger: < 250 CHUNKING

posttls-finger: > QUIT

posttls-finger: < 221 2.0.0 Bye

Whats wrong with my configs?

Thanks for helping me solving this issue.

 

[ivanes82]

The error you are encountering typically occurs when trying to initiate an SSL/TLS connection on a port that expects a different protocol or handshake method. In your case, you are attempting to connect to mail.leagues-united.de on port 587 using OpenSSL's s_client without specifying the correct protocol negotiation method.

openssl s_client -starttls smtp -showcerts -connect mail.leagues-united.de:587

 

[Polli]

The error you are encountering typically occurs when trying to initiate an SSL/TLS connection on a port that expects a different protocol or handshake method. In your case, you are attempting to connect to mail.leagues-united.de on port 587 using OpenSSL's s_client without specifying the correct protocol negotiation method.

Ok. The output of your command shows:

mail:~# openssl s_client -starttls smtp -showcerts -connect mail.leagues-united.de:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = leagues-united.de
verify return:1
---
Certificate chain
 0 s:CN = leagues-united.de
   i:C = US, O = Let's Encrypt, CN = R11
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 26 22:56:53 2024 GMT; NotAfter: Mar 26 22:56:52 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFBzCC.....Y5aCSgjEzLQ==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R11
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBjCCA.....x+O0XOMEZSa8DA
-----END CERTIFICATE-----
---
Server certificate
subject=CN = leagues-united.de
issuer=C = US, O = Let's Encrypt, CN = R11
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3381 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B65EB4D6A......36CCE83BC25618B
    Session-ID-ctx:
    Resumption PSK: 4E23DAA3.......6A0C568DF96E83EDE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 69 ba a7 0a e2 ed 4b b5-4b 19 f3 3a 54 ab ae c3   i.....K.K..:T...
    0010 - c3 ed 1c 77 68 37 b5 b6-94 f8 58 10 3f 3c 4a 14   ...wh7....X.?<J.
    0020 - ee 5e c4 7c 21 bf bc 48-2d 93 f1 73 b9 47 d5 d1   .^.|!..H-..s.G..
    0030 - 04 80 b8 72 cc 93 a8 a9-f0 02 18 a2 b1 d3 8f bd   ...r............
    0040 - ab 30 e4 ab 25 aa c4 32-6f f0 6a 63 38 bf b1 65   .0..%..2o.jc8..e
    0050 - 0c 16 0c 34 3c af 08 bd-65 64 06 a7 9d 4a ee b5   ...4<...ed...J..
    0060 - 52 be 50 9e 8e 87 cd e9-34 1d 1a 92 90 11 28 d1   R.P.....4.....(.
    0070 - 44 36 03 23 62 0c c7 f7-55 46 99 a8 57 5f 8e c1   D6.#b...UF..W_..
    0080 - 5f 2c 2b 94 d8 b3 92 6d-0b 1e 36 64 58 47 a9 b0   _,+....m..6dXG..
    0090 - a9 54 34 bb a6 ae a6 4f-9d 4e 9f d0 aa a3 ea 27   .T4....O.N.....'
    00a0 - 0f 90 c0 45 61 ba c6 da-6f ec 00 6d 43 0f 85 ef   ...Ea...o..mC...
    00b0 - 92 d2 51 c9 ed 0a d6 e1-12 42 78 ff 06 b2 08 0d   ..Q......Bx.....
    00c0 - b7 0a 6e f0 53 99 c1 5f-cc ea de a1 4d ec 44 9f   ..n.S.._....M.D.
    00d0 - c2 25 93 e6 f2 1a 98 5f-b5 67 87 e4 f2 d9 b1 7a   .%....._.g.....z
    00e0 - b3 66 d1 e6 91 6a a3 23-1a 1b 96 fd 20 6c 55 ec   .f...j.#.... lU.

    Start Time: 1736806212
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

When I activate DANE and LetsEncrypt is giving me a certificate, what´s wrong with my config? So is Plesk don´t doing all necessary settings? DNSSEC is setup and configured correctly with my registrar as Plesk is my primary DNS server. What Plesk and LetsEncrypt don´t do is set TLS entry for ports 143 and 443. What can I do to have these ports setup by Plesk, and configure my server so that LetsEncrypt set these ports also with the next update of my certificates? What do I have to do, to setup my config for the correct negotiation method?

Thanks for your help

 

[ivanes82]

I don't know, I am facing the same difficulties as you in getting the connections verified. My postfix configuration file also did not have the entries to the certificates. I am struggling for my server to use dnssec.

 

[Polli]

I don't know, I am facing the same difficulties as you in getting the connections verified. My postfix configuration file also did not have the entries to the certificates. I am struggling for my server to use dnssec.

When PLesk is your primary DNS server, you need to set GLUE-records at your registrar, pointing to your Plesk DNS server. For DNSSEC entrys at your registrar you have to set it manualy when they support it. So signing your DNS-zone with DNSSEC it is only possible when your registrar support it. Look for DNSSEC menu entrys at your registrar and do manual entry as the where generated by plesk.

Example: Under "hosting and DNS" you find DNSSEC. There you can find your DNSKEY-entry like these:

; This is a key-signing key, keyid 39346, for oliver-tief.de.

; Created: 20241224120553 (Tue Dec 24 13:05:53 2024)

oliver-tief.de. IN DNSKEY 257 3 8 AwEAAbzF4ruh...........a lot more letters ...............Kn0AYK9 0HsbAg47HyM=

; This is a key-signing key, keyid 31775, for oliver-tief.de.

; Created: 20241224120554 (Tue Dec 24 13:05:54 2024)

oliver-tief.de. IN DNSKEY 257 3 8 AwEAAYpM3SkP59X.........a lot more letters ............wbDR rzP37Qeghyc=

And there are DS-recource entry like:

oliver-tief.de. IN DS 39346 8 1 61A3E6E6......89E41ABB0B
oliver-tief.de. IN DS 39346 8 2 3E9DEFF2615A4897831FF2BF3E.....03DC47FEB23E8AE1BC44123
oliver-tief.de. IN DS 31775 8 1 CB60CA09E4FB01DD......2FD03E47F68
oliver-tief.de. IN DS 31775 8 2 E8F99A9505DBB1BDBE.............BE6B068CA0A8991C8

As you see there are two keyid´s. 39346 and 31775 in my case. Find the matching pairs and copy the DNSKEY part beginning from yourdomain.com till the end of the cryptic entry to the DNSKEY RR field. Then copy the matching DS Recource (the longer line) to the DS Record field. Repeat these with the 2nd keyid. Thats it.

 

[ivanes82]

I think I have it, I have run the test on Have DANE? and the results are correct:


postfix/smtp [1361244]
2ABC62000CBB38: to=<[email protected]>, relay=dont.havedane.net[xx.xx.xx.xxx.xxx.xxx]:25, delay=1.4, delays=0.85/0.05/0.35/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 6C4B3215CC).

postfix/smtp [1361141]
2ABC62000CBB38: to=<[email protected]>, relay=do.havedane.net[xx.xx.xxx.xxx.xxx]:25, delay=1.3, delays=0.85/0/0.34/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5E78A215C9)

postfix/smtp [1361245]
2ABC62000CBB38: to=<[email protected]>, relay=wrong.havedane.net[xx.xx.xx.xxx.xxx.xxx]:25, delay=1.2, delays=0.85/0.08/0.24/0, dsn=4.7.5, status=deferred (Untrusted server certificate).

 

[ivanes82]

More logs confirming that it works as expected.

postfix/smtp [1361245]
Untrusted TLS connection established with wrong.havedane.net[xx.xx.xxx.xxx.xxx]:25: TLSv1.3 with encryption TLS_AES_256_GCM_SHA384 (256/256 bits) key exchange X25519 server signature RSA-PSS (2048 bits) server digest SHA256

postfix/smtp [1361245]
certificate verification failed for wrong.havedane.net[xx.xx.xxx.xxx.xxx]:25: untrusted issuer /CN=Easy-RSA CA

postfix/smtp [1361244]
Untrusted TLS connection established with dont.havedane.net[xx.xx.xxx.xxx.xxx]:25: TLSv1.3 with encryption TLS_AES_256_GCM_SHA384 (256/256 bits) key exchange X25519 server signature RSA-PSS (2048 bits) server digest SHA256

postfix/smtp [1361141]
Verified TLS connection established to do.havedane.net[xx.xx.xxx.xxx.xxx]:25: TLSv1.3 with TLS_AES_256_GCM_SHA384 (256/256 bits) key exchange X25519 server signature RSA-PSS (2048 bits) SHA256 server digest

 

[Polli]

More logs confirming that it works as expected.

postfix/smtp [1361245]
Untrusted TLS connection established with wrong.havedane.net[xx.xx.xxx.xxx.xxx]:25: TLSv1.3 with encryption TLS_AES_256_GCM_SHA384 (256/256 bits) key exchange X25519 server signature RSA-PSS (2048 bits) server digest SHA256

postfix/smtp [1361245]
certificate verification failed for wrong.havedane.net[xx.xx.xxx.xxx.xxx]:25: untrusted issuer /CN=Easy-RSA CA

postfix/smtp [1361244]
Untrusted TLS connection established with dont.havedane.net[xx.xx.xxx.xxx.xxx]:25: TLSv1.3 with encryption TLS_AES_256_GCM_SHA384 (256/256 bits) key exchange X25519 server signature RSA-PSS (2048 bits) server digest SHA256

postfix/smtp [1361141]
Verified TLS connection established to do.havedane.net[xx.xx.xxx.xxx.xxx]:25: TLSv1.3 with TLS_AES_256_GCM_SHA384 (256/256 bits) key exchange X25519 server signature RSA-PSS (2048 bits) SHA256 server digest

Cool. What have you done to get it working? Can you show me your postfix config? Maybe I can see whats different to my config. What ciphers do you use?

Thats my log entrys:

2025-01-15 19:50:16   
info
postfix/smtp [1056689] D6BAD3EC04A6: to=<[email protected]>, relay=wrong.havedane.net[37.97.132.208]:25, delay=1.1, delays=0.65/0.04/0.38/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DB01C2009E)
2025-01-15 19:50:16   
info
postfix/smtp [1056687] D6BAD3EC04A6: to=<[email protected]>, relay=do.havedane.net[37.97.132.208]:25, delay=1, delays=0.65/0.02/0.3/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C4F112009F)
2025-01-15 19:50:16   
info
postfix/smtp [1056689] Untrusted TLS connection established to wrong.havedane.net[37.97.132.208]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
2025-01-15 19:50:16   
info
postfix/smtp [1056688] D6BAD3EC04A6: to=<[email protected]>, relay=dont.havedane.net[37.97.132.208]:25, delay=0.99, delays=0.65/0.03/0.27/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BF10A2009E)
2025-01-15 19:50:16   
info
postfix/smtp [1056687] Untrusted TLS connection established to do.havedane.net[37.97.132.208]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
2025-01-15 19:50:16   
info
postfix/smtp [1056688] Untrusted TLS connection established to dont.havedane.net[37.97.132.208]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)

Thanks for your help

 

[ivanes82]

follow in your footsteps. The only thing I think I did different from you was to add dns configuration at the server level, in the plesk interface:

dnssec-enable yes;
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";

In the text field I already had:

version "none";
auth-nxdomain no;
listen-on-v6 { any; };

This made it start to work.