Hi Viktor > > Receiving end is Postfix with an Let's encrypt wildcard cert. As far > > the cert looks valid, the chain looks ok. > > This is not the first time on this list that I've had to remind email > server operators that DANE TLSA records are not a fashion statement, > and require timely monitoring: > > https://stats.dnssec-tools.org/explore/?woody.ch
This is not the affected domain, but I guess you found the issue. > Microsoft supports DANE outbound. If you don't look after your DANE > TLSA records, you'll start losing email. > > I am curious why you've chosen to not monitor your TLSA records, any > insight would be appreciated... Complete oversight of my part. As a 'technophile' I try out stuff, and in the case of DANE, yes, it's a good idea, but it became too cumbersome to maintain when I switched the affected domains to let's encrypt. I just scripted to restart the services affected when the cert changes but completely neglected DANE. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
