Mail not delivered after disabling DNSSEC


#1

I have enabled DNSSEC at the registrar, but had to remove their entry. They removed the signing 16 days ago (must enough time to be not cached by public DNS anymore), but third party mailserver (such as tutanota.com, posteo.de etc.) that are DANE-enabled mail servers do still x-check and see an entry, thus not delivering (because guess they assume MiaB is under attack). They recognize MiaB still supports DANE (cf. posteo).

Short check at SidnLabs DANE Test revealed the following:

_"Warning! TLSA records for _443.tcp.box.emailserver.com. were found, but were insecure.
PKIX validation without DANE will be performed. If you wish to perform DANE
even though the RR’s are insecure, use the -d option.
Warning! Insecure IPv4 addresses. Continuing with them…
99.999.99.999 dane-validated successfully"

How can I solve this issue?


#2

Can anyone jump in here? After the registrar removed the signing of my DNSSEC zone, ALL DANE-enabled mail servers still do think MiaB is using DNSSEC, and of course they can not verify (no signing anymore at registrar) so they look at mails from MiaB as compromised, so reject the mails coming from MiaB.

Any additional steps that needs to be taken to disable DNSSEC completely on MiaB? Thanks!


#3

Remove your TLSA records! The instructions on the server explain what TLSA is:

“Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used.”

Since you no longer have DNSSEC enabled, you gotta remove ALL of the appropriate records.


#4

That seems correct.

See also: “Selective availability of STARTTLS is not compatible with DANE. Make sure that either STARTTLS is always on, or DANE TLSA records are NOT published for your domain. Keep in mind that STARTTLS may be disabled by a proxy such as “spamd” or similar, that sits between remote clients and your SMTP server.

However, it seems not possible to do that in MiaB. And if you do it manually, it gets overwritten when you update MiaB.


#5

How???

How would I even do it manually? I can edit it again when I upgrade if that is necessary – but how do I get rid of the TLSA record???