hi I'm trying to configure the TLSA DNS entry, but I don't know if it's correct because there's something weird. if I configure the recording by writing _25._tcp.mail.XXXXXX.cloud. I get a response with 3 zero in mailcow [upl-image-preview url=https://community.mailcow.email/assets/files/2024-03-08/1709880502-513067-3.png] [upl-image-preview url=https://community.mailcow.email/assets/files/2024-03-08/1709880509-630120-4.png] and if I configure by writing _25._tcp.XXXXX.cloud. I get a positive result in mailcow [upl-image-preview url=https://community.mailcow.email/assets/files/2024-03-08/1709880613-680-2.png] [upl-image-preview url=https://community.mailcow.email/assets/files/2024-03-08/1709880620-374979-1.png] what is the right configuration, _25._tcp.XXXXX.cloud. Or _25._tcp.mail.XXXXX.cloud. THANKS

[0] Authentication succeeded for all (2) peers. [upl-image-preview url=https://community.mailcow.email/assets/files/2024-03-08/1709888179-938050-5.png] It was my IPv6 firewall blocking IPv6 traffic. It's resolved. Thanks again

TLSA DNS setup

Cisco30

hi
I’m trying to configure the TLSA DNS entry, but I don’t know if it’s correct because there’s something weird.
if I configure the recording by writing 25.tcp.mail.XXXXXX.cloud. I get a response with 3 zero in mailcow

and if I configure by writing 25.tcp.XXXXX.cloud. I get a positive result in mailcow

what is the right configuration,
25.tcp.XXXXX.cloud.
Or
25.tcp.mail.XXXXX.cloud.
THANKS

piperino

Cisco30

25.tcp.mail.XXXXX.cloud is right.
you can verify here
https://www.huque.com/bin/danecheck

Cisco30

thanks for the answer, I get two results

DANE Authentication partially successful.
Host: mail.XXXXXXX.cloud Port: 25
SNI: mail.XXXXXXXcloud
STARTTLS application: smtp
DNS TLSA RRset:
qname: 25.tcp.mail.XXXXXXXX.cloud.
3 1 1 ebe16ab9c4a35034ebddb681fd5dfbaa454dac17cXXXXXXf2d100a9a78d23a0
IP Addresses found:
2a01:e0a:831:7680:baac:6fff:XXXX:XXXX
82.65.XXX.XXX

Checking mail.XXXXXXX.cloud 2a01:e0a:831:7680:baac:6ffXXXXXXX port 25

DANE TLSA 3 1 1 [ebXXX6ab9..]: not checked
Result: FAILED: dial tcp [2a01:e0a:831:7680:baac:XXXXXXXX]:25: i/o timeout

Checking mail.XXXXX.cloud 2a01:e0a:831:7680:baac:6ffXXXXX port 25

DANE TLSA 3 1 1 [ebe1XXXXXab9..]: not checked
Result: FAILED: dial tcp [2a01:e0a:831:7680:baac:6fff:fXXXXX]:25: i/o timeout

Checking mail.XXXXX.cloud 82.65.4.39 port 25

DANE TLSA 3 1 1 [ebXXXXX9..]: OK matched EE certificate

STARTTLS Transcript:

recv: 220-mail.XXXXX.cloud ESMTP Postcow
recv: 220 mail.XXXXX.cloud ESMTP Postcow
send: EHLO cheetara.huque.com
recv: 250-mail.XXXXX.cloud
recv: 250-PIPELINING
recv: 250-SIZE 104857600
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250 DSN
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS

Peer Certificate Chain:

0 CN=mail.XXXXX.cloud
CN=R3,O=Let’s Encrypt,C=US
1 CN=R3,O=Let’s Encrypt,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US

PKIX Certificate Chain 0:

0 CN=mail.XXXXX.cloud
CN=R3,O=Let’s Encrypt,C=US
1 CN=R3,O=Let’s Encrypt,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US
2 CN=ISRG Root X1,O=Internet Security Research Group,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US

DANE Certificate Chain 0:

0 CN=mail.XXXXX.cloud
CN=R3,O=Let’s Encrypt,C=US
1 CN=R3,O=Let’s Encrypt,C=US
CN=ISRG Root X1,O=Internet Security Research Group,C=US

TLS Connection Info:

TLS version: 1.3
CipherSuite: TLS_AES_256_GCM_SHA384

End-Entity Certificate Info:

X509 version: 3
Serial#: 3c3212636f0a2727XXXXXcd5868d7bf00b
Subject: CN=mail.XXXXX.cloud
Issuer: CN=R3,O=Let’s Encrypt,C=US
SAN dNSName: mail.XXXXX.me
SAN dNSName: mail.XXXXX.cloud
Signature Algorithm: SHA256-RSA
PublicKey Algorithm: RSA 4096-Bits
Inception: 2024-03-07 03:42:13 +0000 UTC
Expiration: 2024-06-05 03:42:12 +0000 UTC
KU: DigitalSignature KeyEncipherment
EKU: ServerAuth ClientAuth
Is CA?: false
SKI: b3a777c3eae0d53dd22XXXXXddf6d3e290f1626aa
AKI: 142eb317b75856cbae5XXXXX40e61faf9d8b14c2c6
OSCP Servers: [http://r3.o.lencr.org]
CA Issuer URL: [http://r3.i.lencr.org/]
CRL Distribution: []
Policy OIDs: [2.23.140.1.2.1]
Result: DANE OK

[1] Authentication succeeded for some (1 of 2) peers.

what do you think?

piperino

Cisco30
Is ipv6 working? and listening on port 25.
Result: FAILED: dial tcp [2a01:e0a:831:7680:baac:XXXXXXXX]:25: i/o timeout
I have to admit i have no experience TLSA in combination with ipv6 though.

Cisco30

[0] Authentication succeeded for all (2) peers.

It was my IPv6 firewall blocking IPv6 traffic. It’s resolved. Thanks again