• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue DANE change Option 3 0 1 to 3 1 1 - DANE EE certificate does not match SHA2-256

S

superfun2k23

New Pleskian
Server operating system version
Debian 12.2
Plesk version and microupdate number
18.0.57 #2
Hi,

I have a problem with DANE for few days now. I get some feedback from customers, that they can´t send Mails to my mailboxes.

They´re getting this Error:
DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate (SHA2-256))

I´ve read, that with LetsEncrypt I should use Option 3 1 1 instead of 3 0 1, but where do I change this in Plesk?
Could this be the problem?

Because DNSSEC and DANE checks are fine and tell me, DANE EE certificate is OK
 
Hi,

superfun2k23 said:
I´ve read, that with LetsEncrypt I should use Option 3 1 1 instead of 3 0 1, but where do I change this in Plesk?
Could this be the problem?
Click to expand...
The options are depend of what value is used for the record. "3 0 1" is expected in this case.

superfun2k23 said:
They´re getting this Error:
DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate (SHA2-256))
Click to expand...
I would suggest to contact with Plesk Support to investigate what was happened and why.

superfun2k23 said:
Because DNSSEC and DANE checks are fine and tell me, DANE EE certificate is OK
Click to expand...
It seems something happened during the certificate and TLSA records rolling-over. Now, when a new certificate was installed and TLSA-records were updated, everything started working normally again.

This roll-over is supported by Plesk and that is why I am asking to contact with the Plesk Support team to figure out how it is possible that the issue happened.
 
You tell it right, it should work, updating keys work so far.. when I re-new DANE TSLA keys, everything work as expected..
Regarding Check a DANE SMTP Service Checkup everything works. (DANE TLSA 3 0 1 [d0bcebd1..]: OK matched EE certificate)

But still I get from some customers:
DANE Security Alert: Unable to verify MX mail.xxxx.de (DANE-EE: DANE Certificate Association Data does not match client certificate (SHA2-256))

I have a theory.. Can it be, the customers themself don´t have DNSSEC/DANE, so it fails?
 
My theory is the customer uses old cached TLSA-records. While the cache is not expired, the customer is not receiving new TLSA-records (e.g: both, old and new TLSA-records; or just new TLSA-records) and that is a reason why a new certificate is not matched with cached TLSA-records.
 
Let's say you have Plesk server in Europe.

An external mail system located in Canada wants to send an email to you server. The external server asks external DNS server (provided by Internet Service Provider, also in Canada) for TLSA-records. External DNS caches the TLSA-records for some time. If the external mail server sends another email to you server, external DNS provides required records from the cache of DNS service in Canada.
 
You must log in or register to reply here.

Similar threads

M
Resolved Help request: SSL certificate seems to have trust issues. How to resolve?
Replies
4
Views
2K
MHC_1
M
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
3K
NewGate
N
nethubonline
Question how to prevent Plesk auto apply letsencrypt for auto generated 1-2-3-4.plesk.page?
Replies
0
Views
881
nethubonline
nethubonline
nisamudeen97
Resolved Getting Hostname "does not" match on mail SSL
Replies
2
Views
4K
G J Piper
G J Piper
learning_curve
Question Independent Secure E-Mail > Postfix / Dovecot MTAs > 1 Server Multiple Domains > Plesk
Replies
2
Views
2K
learning_curve
learning_curve
Back
Top