Set up TLSA for DANE

Check DANE for a domain:
https://www.huque.com/bin/danecheck (port 443)
https://www.huque.com/bin/danecheck-smtp (SMTP port 25)
https://internet.nl (port 443 / SMTP port 25)
https://dane.sys4.de (SMTP port 25)
https://check.sidnlabs.nl/dane (port 443)

DirectAdmin is DANE ready since 8th June 2017:
Configure DANE for mailserver in directadmin.conf with dns_tlsa=1.
And in case of Let’s Encrypt: letsencrypt_renewal_days=60
Due to my experience, DirectAdmin does not renew in the Let’s Encrypt plugin in a stable way for TLSA 3 1 1.

Plesk’s DNS for name server values is not ready for TLSA records:
Fortunately, Mail Transfer Agent Postfix works for DANE.

DirectAdmin for change of DANE to a new certificate:
# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -outform DER | openssl sha256
Note: Your certificate can have a different path and / or file name.
Or in a simple professional way: https://www.huque.com/bin/gen_tlsa

Setup of TLSA:
My interpretation now and then needs reading RFC’s about DANE.
A SSL certificate is about three parts: private key, certifcate key and certification authority (ca) key(s).

A TLSA record contains four values:
. key to interprete a string; certificate authority key(s): 2 versus certificate key: 3
. private key after renewal of a certificate key; changing: 0 versus identical: 1
. string length; 1: 256 (versus 2: 512)
. string value

Let’s Encrypt (every 60 days) with 2 1 1 having ca key(s) with 5-year lifetime;
Let’s Encrypt (every 60 days) with 3 1 1 requires that an unchanged private key is under control;
(this frequent ‘rekeying’ is an unsolved problem)
E.g. Comodo (yearly) with 3 1 1 simplifies rollover, requires that an unchanged private key is under control.
E.g. Comodo (yearly) with 3 0 1 requires timely maintenance (two records during rollover).

With Let’s Encrypt:
_25._tcp
_25._tcp.mail
_443._tcp
_443._tcp.www

TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

Explanation of two additional records for rollover: The values ​​have not yet been proven. Let’s Encrypt intermediate CA certificate ‘X3’, is replaced with ‘R3’ and ‘E1’ which have new keys, and so all DANE TLSA ‘2 1 1’ records matching ‘X3’ will not match ‘R3’or ‘E1’. The implementation from Thursday 3 September 2020 is planned before the end of 2020.

Notes:
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://toolbox.internet.nl -> https://github.com/internetstandards/toolbox-wiki/
– https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
– Plesk stores certificate data in a central location. DirectAdmin in folders inside and outside its menu;
– DANE is still limited to port 25 for traffic between mail servers;
– For an email client DANE is in design phase (RFC7671/RFC7673/RFC6698);
– Any obstacle implementing DANE, needs to be addressed.

Terminology:
MTA: Mail Transfer Agent
MUA: Mail User Agent
MDA: Message Delivery Agent