Set up TLSA for DANE

Check DANE for a domain: (port 443) (SMTP port 25) (HTTP port 443 / SMTP port 25) (SMTP port 25) (port 443)

DirectAdmin is DANE ready since 8th June 2017:
Configure DANE for mailserver in directadmin.conf with dns_tlsa=1.
And in case of Let’s Encrypt: letsencrypt_renewal_days=60
Due to my experience, DirectAdmin does not renew in the Let’s Encrypt plugin in a stable way for TLSA 3 1 1.

Plesk’s DNS for name server values is not ready for TLSA records:
Fortunately, Mail Transfer Agent Postfix works for DANE.

DirectAdmin for change of DANE to a new certificate:
# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -outform DER | openssl sha256
Note: Your certificate can have a different path and / or file name.
Or in a simple professional way:

Setup of TLSA:
My interpretation now and then needs reading RFC’s about DANE. A SSL certificate is about three parts: private key, certifcate key and certification authority (ca) key(s).

A TLSA record contains four values:
. key to interprete a string; certificate authority key(s): 2 versus certificate key: 3
. private key after renewal of a certificate key; changing: 0 versus identical: 1
. string length; 1: 256 (versus 2: 512)
. string value

Using two TSLA records:
. A valid 301/311 combined with an old / new unvalid 301/311, scores at;
. A valid 311 and a valid 312 (certificate version with 512 bits encryption), do also score ‘both’ valid.

Let’s Encrypt
. every 60 days with 2 1 1 having ca key(s) with 5-year lifetime;
. every 60 days with 3 1 1 requires that an unchanged private key is under control;
(this frequent ‘rekeying’ is an unsolved problem)
Or eg Comodo (yearly) with 3 0 1 requires timely maintenance (two records during rollover);
Or eg Comodo (yearly) with 3 1 1 simplifies rollover, requires that an unchanged private key is under control.

With Let’s Encrypt:

old X3: TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
new R3: TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
new E1: TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

Explanation of two additional records for rollover: The new E1 value ​​has not yet been proven. Let’s Encrypt intermediate CA certificate ‘X3’, is replaced with ‘R3’ and ‘E1’ which have new keys, and so all DANE TLSA ‘2 1 1’ records matching ‘X3’ will not match ‘R3’or ‘E1’. The implementation from Thursday 3 September 2020 is planned before the end of 2020.

Hint: You can have three values first and later on one or two values.

Notes: ->
– Plesk stores certificate data in a central location. DirectAdmin in folders inside and outside its menu;
– DANE is still limited to port 25 for traffic between mail servers;
– For an email client DANE is in design phase (RFC7671/RFC7673/RFC6698);
– Any obstacle implementing DANE, needs to be addressed.

MTA: Mail Transfer Agent
MUA: Mail User Agent
MDA: Message Delivery Agent