Hello,
I recently set-up DNSSEC for my domains and after validating with http://dnsviz.net DNSSEC seems to be working correctly.
However I got an email with the following warning:
The TLSA RRset of some of your email servers does not match the their actual certificate chain. This impedes email delivery to your domain. Please adopt a better key rotation approach, what you're doing now is fragile and does not work reliably. It is better to have no TLSA records than to have incorrect TLSA records.
After checking again with these other tools I got the following errors:
Warning! No TLSA records for _443._tcp.mail.domain.tld. were found.
PKIX validation without DANE will be performed.
No usable TLSA records were found.
PKIX validation without DANE will be performed.
186.1.1.49 PKIX-validated successfully
https://check.sidnlabs.nl/dane/
All TLSA RRs failed. (See details.)
3, 0, 1 edd29083894d6f49[...]59de92fc52822b60 - certificate not trusted: (27)
From what I can understand, the problem might be that I have a (Let's Encrypt) certificate for every domain and I have another certificate that I use for the the mail subdomain for all virtualservers (eg: mail.domain1.tld, mail.domain2.tld, mail.domain3.tld, etc.) that is being used by postfix.
The TLSA validation is being checked against the certificate for every domain, so when it checks the SMTP connection the certificate fails the verification because it's a different certificate.
Can anyone suggest how can I solve this issue?
Thanks.