On Sat, Nov 22, 2025 at 05:11:08PM +0200, Edmund Lodewijks via Postfix-users
<[email protected]> wrote:
> On 2025/11/22 15:18, Viktor Dukhovni via Postfix-users wrote:
> [...]
> What monitoring do you advise? I use `pflogsumm` which emails me
> statistics every day, which I also scan for connection issues.
> I check internet.nl every now and then to verify that all is working
> well (now that I am poking at this lot).
> I could create a script to automatically check that the tlsa records
> match the keys. Is there anything else you would suggest?
If using danectl, monitoring is done by having a
cronjob that looks something like:
# Report any DANE problems
30 0 * * * danectl check
(although you might prefer hourly checks)
It will compare what should be published in the DNS
with what is published in the DNS. When all is well,
there is no output. But if a discrepency occurs, you'll
be emailed what needs to be done to fix the situation.
When not given a specific certificate name to check on
the command line, it checks all certificates that are
configured for use with DANE.
Another option is Viktor's danecheck:
https://github.com/vdukhovni/danecheck
Which works however you've created your TLSA records.
Note that if you have both ECDSA and RSA present, it'll
only check ECDSA, but that's by design. It's the most
likely to be misconfigured.
There are also several websites that let you perform checks,
but you really need something automated.
> [...]
> > Combining Let's Encrypt with DANE can be tricky, because by default your
> > private key changes automatically with every renewal and it is not
> > obvious how to make sure that TLSA record updates happen a few TTLs in
> > advance of new key deployment (initially matching both the current and
> > next key, with those matching the current key later removed once the
> > new key is made "current").
> >
> > But see:
> >
> > - https://github.com/raforg/danectl
>
> I have been trying danectl, and been in touch with the author as well! I
> got in some murky water because of using (at the time) both an ECDSA and
> an RSA certificate for the same server name.
>
> > perhaps more polished IIRC than:
> >
> > - https://github.com/tlsaware/danebot
>
> This I am currently using.
Currently, danectl doesn't support having multiple key
types for the same set of domains, but since Edmund has
approached me with this use case, I am starting to add
support for that. It'll be a bit fiddly, but I think
it's worthwhile to make it easy for people to use
multiple key types with DANE if they want to.
So the "danectl check" cronjob mentioned above doesn't
yet handle multiple key types for the same domains, but
it soon will.
Also, danectl uses certbot but it suppresses the
creation of new keys every time the certificate is
renewed, so that you get to control when key rollovers
happen. And it makes sure that there is always a
"current" and "next" key (and certificate) with
corresponding TLSA keys published in the DNS at all
times, so that when a rollover is needed, everything is
already ready for it to happen without delay.
> Kind regards,
> Edmund
cheers,
raf
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
