Dane based on existing Postfix, Letsencrypt and DNSSEC

Published on Author righterLeave a comment

To activate it use following in the postfix main.cf:
smtp_tls_security_level=dane
smtp_dns_support_level = dnssec
smtpd_use_tls=yes

Now create the TLSA hash and generate a TLSA DNS Record:
printf '%s' $(openssl x509 -in fullchain.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')

push to DNS:
_25._tcp.mail INTLSA 3600 3 1 1 d97b98594edb736ab2ae0bf2defd66d611f400eb362708c87689f7e73e66e7d4

!!REMEMBER!!
everytime you renew your LE cert you have also to update the TLSA entry.

Test it:
https://dane.sys4.de/smtp/righter.ch
https://ssl-tools.net/mailservers/righter.ch
https://www.huque.com/bin/danecheck

Leave a Reply

Your email address will not be published. Required fields are marked *