Re: [mailop] DANE with self-signed cert trouble

[Viktor Dukhovni via mailop]

On Thu, Oct 30, 2025 at 04:00:45PM +0000, John Levine via mailop wrote:

> It appears that Edmund Lodewijks via mailop <edm...@proteamail.com> said:
>
> >Does this setup work, a self-signed certificate in combination with
> >DANE?
> >
> >Whenever I tried this, connections from Gmail and Protonmail (and
> >potentially others) got dropped right after tls:

There is a non-trivial minority of SMTP servers that have self-signed
certificates.  Barring some reason to expect otherwise (MTA-STS policy?),
SMTP clients broadly tolerate unvalidatable server certificates,
including self-signed as one of many ways that can happen.  That's just
basic unauthenticated opportunistic TLS.

For example, the backup MX of the Armenian NIC, "isoc.amnic.net" has
a self-signed cert and matching TLSA records:

    _25._tcp.isoc.amnic.net. IN TLSA 3 1 1 
e85440f7099608bfaf645ce0b4806f556601a96f4a720c91b6e76ea4cdd0d4e6
      isoc.amnic.net[195.43.74.26]: pass: TLSA match: depth = 0
        TLS = TLS1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_RSA
        name = isoc-1.amnic.net
        depth = 0
          Issuer CommonName = isoc-1.amnic.net
          Issuer Organization = Internet Society Public Organization
          notBefore = 2024-07-04T18:10:52Z
          notAfter = 2027-07-04T18:10:52Z
          Subject CommonName = isoc-1.amnic.net
          Subject Organization = Internet Society Public Organization
          pkey sha256 [matched] <- 3 1 1 
e85440f7099608bfaf645ce0b4806f556601a96f4a720c91b6e76ea4cdd0d4e6

Likewise both MX hosts of a Czech health insurance provider:

    cpzp.cz. IN MX 10 posta.cpzp.cz.
    cpzp.cz. IN MX 30 postc.cpzp.cz.
    _25._tcp.posta.cpzp.cz. IN TLSA 3 1 1 
582364ed6dd790dbb5c121050ab0620c9be20a8d7e59ed55a2e917b744028165
      posta.cpzp.cz[193.85.230.100]: pass: TLSA match: depth = 0, name = 
posta.cpzp.cz
        TLS = TLS1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,X25519
        name = posta
        name = posta.cpzp.cz
        depth = 0
          Issuer CommonName = posta
          notBefore = 2021-09-21T16:05:32Z
          notAfter = 2026-09-21T16:05:32Z
          Subject CommonName = posta
          pkey sha256 [matched] <- 3 1 1 
582364ed6dd790dbb5c121050ab0620c9be20a8d7e59ed55a2e917b744028165
    _25._tcp.postc.cpzp.cz. IN TLSA 3 1 1 
cedc8c091d393f523c0ab409cd06ff6b0f0b15ae1acf83990585328b2dc44200
      postc.cpzp.cz[193.85.230.101]: pass: TLSA match: depth = 0, name = 
postc.cpzp.cz
        TLS = TLS1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,X25519
        name = postc
        name = postc.cpzp.cz
        depth = 0
          Issuer CommonName = postc
          notBefore = 2021-07-01T06:46:53Z
          notAfter = 2026-07-01T06:46:53Z
          Subject CommonName = postc
          pkey sha256 [matched] <- 3 1 1 
cedc8c091d393f523c0ab409cd06ff6b0f0b15ae1acf83990585328b2dc44200

So you should be able to field a DANE-validatable self-signed cert and
not have trouble receiving mail from either non-DANE SMTP clients or
DANE-enabled SMTP clients (provided the TLSA records match that cert or
its public key).

> It works for mail systems that use DANE.

No, it is expected to just work regardless.  Some clients might balk if
the certificate is manifestly expired (a mistake, but best to not tempt
them).  Some might also object to poor choices of key usage or extended
key usage extensions.

> I know Gmail doesn't (that is why we have MTA-STS).  Protonmail's DNS
> isn't DNSSSEC signed, so I doubt they do either.

The protomail.ch domain is not only DNSSEC-signed, but its MX hosts even
have TLSA records, and support over 82K DNSSEC-signed customer domains.
So they definitely to *inbound* DANE.  I was under the impression they
also do outbound DANE, but I not in possession of hard facts that
demonstrace that to be the case.

    https://stats.dnssec-tools.org/explore/?protonmail.ch

Though in this case not self-signed:

    _25._tcp.mail.protonmail.ch. IN TLSA 3 1 1 
6111a5698d23c89e09c36ff833c1487edc1b0c841f87c49dae8f7a09e11e979e
    _25._tcp.mail.protonmail.ch. IN TLSA 3 1 1 
76bb66711da416433ca890a5b2e5a0533c6006478f7d10a4469a947acc8399e1
      mail.protonmail.ch[176.119.200.128]: pass: TLSA match: depth = 0, name = 
*.protonmail.ch
        TLS = TLS1.3 with TLS_AES_256_GCM_SHA384,X25519,PubKeyALG_RSA
        name = *.pm.me
        name = *.protonmail.ch
        name = *.protonmail.com
        name = *.protonvpn.ch
        name = *.protonvpn.com
        name = protonmail.com
        depth = 0
          Issuer CommonName = R13
          Issuer Organization = Let's Encrypt
          notBefore = 2025-10-07T13:23:55Z
          notAfter = 2026-01-05T13:23:54Z
          Subject CommonName = protonmail.com
          pkey sha256 [matched] <- 3 1 1 
76bb66711da416433ca890a5b2e5a0533c6006478f7d10a4469a947acc8399e1
        depth = 1
          Issuer CommonName = ISRG Root X1
          Issuer Organization = Internet Security Research Group
          notBefore = 2024-03-13T00:00:00Z
          notAfter = 2027-03-12T23:59:59Z
          Subject CommonName = R13
          Subject Organization = Let's Encrypt
          pkey sha256 [nomatch] <- 2 1 1 
025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d

All five of the domains in the certifiate are DNSSEC-signed and have
working inbound DANE: pm.me, protonmail.ch, protonmail.com,
protonvpn.ch, protonvpn.com.

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop