TLSA DNS setup

ETNyx

Hello,

i’m trying to setup TLSA DNS record, according to https://community.mailcow.email/d/3366-tlsa-dns-setup expected result (on DNS modal) is green check, i got “0 0 0”

I tried to check DANE on https://www.huque.com/bin/danecheck using settings:

Port: 25
Domain name: {{mailcow_hostname}}
StartTLS app: smtp

Got a success: “DANE Authentication Successful.” “[0] Authentication succeeded for all (2) peers.” (ipv4 + ipv6)

Also tried https://internet.nl/ result is
DANE existence - Verdict: All your mail server domains provide a TLSA record for DANE.
DANE validity close - Verdict: Each of your mailservers has at least one valid DANE fingerprint. This allows sending mail servers that support DANE verification to set up an authenticated encrypted transport connection with your receiving mail servers.

Not sure what is wrong, any suggestions?

jimmy_jummy

The TLSA DNS entry should look like this:

(last part is just an example. Yours will be different).

Look at your Mailcow -> Email -> Configuration > Domains and click on the blue DNS button. This will show whether you have set up your TLSA entry correctly or not.

ETNyx

Thanks, for your reply, I’m pretty sure that i got an underscore correctly inside the record, for now i remove it bc I did not know if it’s correct (I did copy record from that table). As I wrote in initial post, external test were green (ok), but under DNS button in mailcow I got string “0 0 0”, I was expecting green check icon.

I will try to add this record if you will be able to try to check it. But I would prefer to DM you, I’m not comfortable to wrote address in public ok?

jimmy_jummy

ETNyx

Try to restart the whole mailcow stack. Sometimes this will fix the problem.

Cisco30

hi
my TLSA record is correct and I also have 0 0 0 in place of the green checkmark. I don’t think you should worry about it

on https://www.checktls.com/TestReceiver

ETNyx

@jimmy_jummy restart does not help :-(
@Cisco30 Yes, also for me, check from external site looks ok,.. there is some problem in this

mailcow/mailcow-dockerizedblob/36b5cccd186090d726de62b6b00d1e842e67aacd/data/web/inc/ajax/dns_diagnostics.php#L268

dns_get_record() always return array[0]=>false, for some reason any query using $raw=TRUE parameter does not work, even when one ask DNS_A (int:1). Rest of dns_get_record($record[0], DNS_A) (not using $raw=TRUE) are fine. This happened inside docker, also outside using php8.2, firewall was disabled, dig return correct answer, strange :-(