Facebook
Twitter
Polli
Basic Pleskian
What do you mean with server level?
I get these error message when I add these entrys:
Code:
dnsmng failed: /etc/named-user-options.conf:4: option 'dnssec-enable' no longer exists-
Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring. We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design. If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
-
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
-
The ImunifyAV extension is now deprecated and no longer available for installation.
Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.
Issue Getting DANE working
I get these error message when I add these entrys:
Polli
Basic Pleskian
I did, but I get errors. I tried these, but it won´t get saved.
Code:
version "none";
auth-nxdomain no;
max-records-per-type 0;
dnssec-enable yes;
dnssec-validation auto;
managed-keys-directory "/var/named/dynamic";what errors?
Polli
Basic Pleskian
Im on Debian12.9 using Bind9. I think that Bind don´t like dnssec-enable command.
Code:
dnsmng failed: /etc/named-user-options.conf:4: option 'dnssec-enable' no longer existsDid you create that file? I had to create it.
If you did it and the error persists I can't help you, see if there is someone on the forum who is more familiar with this.
Polli
Basic Pleskian
I found my path, but it wont work. Postfix is reloading again and again after I restart Bind9 with these settings.
Code:
version "none";
auth-nxdomain no;
max-records-per-type 0;
dnssec-validation auto;
managed-keys-directory "/var/cache/bind/";Polli
Basic Pleskian
I dont know why this wont work. The tool at Check a DANE SMTP Service tells me everything is fine:
My logs shows me this:
With my mail clients i allways get untrusted TLS connection when sending mails. It seems that my mailserver don´t check for DANE connection. How can I solve this?
Thanks for your help
Code:
Domain Name: oliver-tief.de
MX host: 10 mail.oliver-tief.de.
#################################################################
### CHECKING MX HOST: mail.oliver-tief.de.
#################################################################
Host: mail.oliver-tief.de. Port: 25
SNI: mail.oliver-tief.de.
STARTTLS application: smtp
DNS TLSA RRset:
qname: _25._tcp.mail.oliver-tief.de.
3 0 1 b44cd47fbc05bd9aad046bf6fb6772a0e52332c766facb3aaf2e6433903cffea
IP Addresses found:
62.138.14.246
## Checking mail.oliver-tief.de. 62.138.14.246 port 25
DANE TLSA 3 0 1 [b44cd47f..]: OK matched EE certificate
## STARTTLS Transcript:
recv: 220 mail.leagues-united.de ESMTP Postfix (Debian/GNU)
send: EHLO cheetara.huque.com
recv: 250-mail.leagues-united.de
recv: 250-PIPELINING
recv: 250-SIZE 102400000
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250-DSN
recv: 250 CHUNKING
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
## Peer Certificate Chain:
0 CN=oliver-tief.de
CN=R11,O=Let's Encrypt,C=US
1 CN=R11,O=Let's Encrypt,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US
## PKIX Certificate Chain 0:
0 CN=oliver-tief.de
CN=R11,O=Let's Encrypt,C=US
1 CN=R11,O=Let's Encrypt,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US
2 CN=ISRG Root X1,O=Internet Security Research Group,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US
## DANE Certificate Chain 0:
0 CN=oliver-tief.de
CN=R11,O=Let's Encrypt,C=US
1 CN=R11,O=Let's Encrypt,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US
## TLS Connection Info:
TLS version: 1.3
CipherSuite: TLS_AES_128_GCM_SHA256
## End-Entity Certificate Info:
X509 version: 3
Serial#: 39f921d0c44c18912866d118ba9f006caf8
Subject: CN=oliver-tief.de
Issuer: CN=R11,O=Let's Encrypt,C=US
SAN dNSName: *.oliver-tief.de
SAN dNSName: oliver-tief.de
SAN dNSName: polli-online.de
SAN dNSName: tontechnik-tief.de
SAN dNSName: www.polli-online.de
SAN dNSName: www.tontechnik-tief.de
Signature Algorithm: SHA256-RSA
PublicKey Algorithm: RSA 2048-Bits
Inception: 2025-01-14 20:18:31 +0000 UTC
Expiration: 2025-04-14 20:18:30 +0000 UTC
KU: DigitalSignature KeyEncipherment
EKU: ServerAuth ClientAuth
Is CA?: false
SKI: 98dae1bcab4659a7c6e2285224c4838d36c8e4df
AKI: c5cf46a4eaf4c3c07a6c95c42db05e922f26e3b9
OSCP Servers: [http://r11.o.lencr.org]
CA Issuer URL: [http://r11.i.lencr.org/]
CRL Distribution: []
Policy OIDs: [2.23.140.1.2.1]
Result: DANE OK
[0] Authentication succeeded for all (1) peers.My logs shows me this:
Code:
2025-01-17 18:47:14 postfix/smtpd [1642773] disconnect from cheetara.huque.com[50.116.63.23] ehlo=1 starttls=1 commands=2
2025-01-17 18:47:14 postfix/smtpd [1642773] lost connection after STARTTLS from cheetara.huque.com[50.116.63.23]
2025-01-17 18:47:14 postfix/smtpd [1642773] Anonymous TLS connection established from cheetara.huque.com[50.116.63.23] to mail.oliver-tief.de: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
2025-01-17 18:47:13 postfix/smtpd [1642773] connect from cheetara.huque.com[50.116.63.23]With my mail clients i allways get untrusted TLS connection when sending mails. It seems that my mailserver don´t check for DANE connection. How can I solve this?
Thanks for your help
Polli
Basic Pleskian
Someone sent me an error message today because they were unable to send me an e-mail.
All test pages show me that my DANE configuration is correct.
What can I do?
Code:
Achtung: Die Mail konnte noch nicht versendet werden seit: 1 Stunde.
Es wird weiter versucht die Mail auszuliefern bis Donnerstag, 20. Februar 2025 18:31:48 +0100 (CET).
Der folgende Empfänger ist betroffen:
[email protected]
Letzter Fehler : 450 4.7.323
Erklärung: 4.7.323 The domain mail.mydomain.de failed DANE validation: DANE-EE:
DANE Certificate Association Data does not match client
certificate (SHA2-256)
Letzter Weiterleitungsversuch war: Mittwoch, 19. Februar 2025 19:30:45 +0100 (CET)
Mitschnitt der Session:
... während des Weiterleitungsversuches zu mail.mydomain.de [62.138.14.246:25]:
>>> STARTTLS
<<< 450 4.7.323 The domain mail.mydomain.de failed DANE validation:
DANE-EE: DANE Certificate Association Data does not match client
certificate (SHA2-256)
Reporting-MTA: DNS; mo4-p00-ob.smtp.rzone.de
Received-From-MTA: DNS; smtpclient.apple (2.241.227.24)
Arrival-Date: Wed, 19 Feb 2025 18:31:41 +0100 (CET)
Final-Recipient: RFC822; [email protected]
Action: delayed
Status: 4.7.323
Remote-MTA: DNS; mail.mydomain.de [62.138.14.246:25]
Diagnostic-Code: SMTP; 450 4.7.323 The domain mail.mydomain.de failed DANE
validation: DANE-EE: DANE Certificate Association Data
does not match client certificate (SHA2-256)
Last-Attempt-Date: Wed, 19 Feb 2025 19:30:45 +0100 (CET)
Will-Retry-Until: Thu, 20 Feb 2025 18:31:48 +0100 (CET)All test pages show me that my DANE configuration is correct.
What can I do?
learning_curve
Golden Pleskian
^^
Issue - DANE change Option 3 0 1 to 3 1 1 - DANE EE certificate does not match SHA2-256
Hi, I have a problem with DANE for few days now. I get some feedback from customers, that they can´t send Mails to my mailboxes. They´re getting this Error: DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate...
talk.plesk.com
Plus other threads in this forum via the search function etc
Haven't commented on this thread since our own post #6, because we're able to achieve, what you appear not to be able to with DANE, but only because we are configuring DANE outside of Plesk, where as you're not, so our data / info is therefore of no value to you, other than, a proof of concept that Plesk can run with full DANE integration (depending on the config!
)
Polli
Basic Pleskian
Thank you for your feedback. The steps that helped you do not work for me. Although all test pages show that my configuration is correct, it simply does not work. There is definitely room for improvement on the part of Plesk. But apparently there is no feedback from an employee of Plesk who takes care of the issue. That is a pity.^^
Issue - DANE change Option 3 0 1 to 3 1 1 - DANE EE certificate does not match SHA2-256
Hi, I have a problem with DANE for few days now. I get some feedback from customers, that they can´t send Mails to my mailboxes. They´re getting this Error: DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate...
Plus other threads in this forum via the search function etc
Haven't commented on this thread since our own post #6, because we're able to achieve, what you appear not to be able to with DANE, but only because we are configuring DANE outside of Plesk, where as you're not, so our data / info is therefore of no value to you, other than, a proof of concept that Plesk can run with full DANE integration (depending on the config!
