> On Dec 16, 2016, at 1:39 AM, Alice Wonder <al...@domblogger.net> wrote:
>
> When an SMTP server publishes a TLSA record, will DANE enforcing SMTP servers
> refuse to connect if the TLSA record matches the certificate but the
> certificate has expired?
That depends on the TLSA records:
https://tools.ietf.org/html/rfc7672#section-3.1.1
https://tools.ietf.org/html/rfc7672#section-3.1.2
The oldest working past-due certificate expiration of a DANE SMTP domain
that I've been able to find is:
<beispiel>.de. IN MX 5 mx02.<example>.net. ; NOERROR AD=1
_25._tcp.mx02.<example>.net. IN TLSA 3 1 1
fcdd32774bfba667da276048137d0876754a115b8969fc098a61256844f0f9e6 ; passed at
depth=0, matched=mx02.<example>.net
; Subject = CN=mx02.<example>.net
; Issuer = emailAddress=supp...@cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
; Inception = 2010-03-22T23:22:05Z
; Expiration = 2010-09-18T23:22:05Z
; Fingerprint = ef133ed4207937fa5bd44bd674b4ae73b589bfeefd82435c2900bf820bbc33e5
<beispiel>.de. IN MX 10 mx-in01.<example>.net. ; NOERROR AD=1
_25._tcp.mx-in01.<example>.net. IN TLSA 3 1 1
2e7062082ebff42db9cf70ab4fa398d5c3ea6f53a6fbfa883e878a8cac8c25f9 ; passed at
depth=0
; Subject = CN=mx01.<example>.net
; Issuer = emailAddress=supp...@cacert.org,CN=CA Cert Signing
Authority,OU=http://www.cacert.org,O=Root CA
; Inception = 2010-03-22T23:22:23Z
; Expiration = 2010-09-18T23:22:23Z
; Fingerprint = 79c97afc1f973d42d4c5971c72c40f6dc4f455315c1f32cfe0d3c671dcce9a82
The primary MX certificate is expired, the secondary MX is both expired and
its name does not match the name in the certificate. The latter is best
avoided, but is acceptable for DANE SMTP.
--
Viktor.
