I recently set up a new MaiB as my email server at work. I am using externally hosted DNS (namecheap.com). While they support dnssec, they do not support TLSA records.
I also have a personal MaiB at DigitalOcean (dbugg.dev) which has been in place for a few months. When I first set up my work server, I was able to send mail from my personal server. Granted, I don’t send mail to work from personal often, but when I tried it today I get TLSA errors on the personal server:
Feb 24 16:20:45 box postfix/smtp[11079]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mail.daviesprinting.com type=TLSA: Host not found, try again
Feb 24 16:20:51 box postfix/smtp[11079]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mail.daviesprinting.com type=TLSA: Host not found, try again
Feb 24 16:20:51 box postfix/smtp[11079]: warning: TLS policy lookup for daviesprinting.com/mail.daviesprinting.com: TLSA lookup error for mail.daviesprinting.com:25
Feb 24 16:20:51 box postfix/smtp[11079]: 2DF367E7D0: to=<packaging@daviesprinting.com>, relay=none, delay=25677, delays=25651/0.07/26/0, dsn=4.7.5, status=deferred (TLSA lookup error for mail.daviesprinting.com:25)
Of course, _25._tcp.mail.daviesprinting.com doesn’t exist because TLSA records are not supported at namecheap.
DNSSEC is turned on at namecheap. MaiB says TLSA records are optional. If I remember correctly from when I was setting the work server up, I got weird errors when DNSSEC was turned off, but I don’t remember what the issue was (sorry).
I plan to move away from namecheap in the near future, but I’d like to get this straightened sooner than later.
In all honesty, I’m not sure what TLSA records do. Are they linked to the Let’sEncrypt certificates at all? This MaiB replaced a CentOS server that hosted email and two websites (each had their own virtual IP and hostname) which had been switched to Let’sEncrypt shortly before moving mail to the new MaiB server. The web servers are still running on the CentOS box, but Postfix and Dovecot are shut down.
The new mail server has the same name the old one had. I changed the hostname of the mail portion of the old server and created a new certificate, although it is no longer serving anything. However, I think the certificates with the old name are still there. Is there something I need to do to cancel the original named certificate at LE since it is being used on the new server now?
I just seems like something is telling my personal box to request a TLSA record for my work box when it doesn’t exist.
It looks like an issue with DNSSEC proving the TLSA record doesn’t exist. That is probably a namecheap issue, so all you can do is turn off DNSSEC. The other possibility is trying a different DNSSEC algorithm, if they let you choose.
I would show what I mean, but the board won’t let me post it.
@nsec3 If I remember correctly, I had other issues when I turned off DNSSEC. But I agree, since TLSA is optional, it seems that someone, somewhere in DNSSEC-land is saying to look for a TLSA record when it shouldn’t be.
Anyway, I think I am just going to move my NS to Google where my personal domain lives. They do TLSA and SSHFP. Namecheap doesn’t.