DANE attempt failed - certificate verify failed for outgoing mail?

[scristopher]

Having a odd issue sending mail to a single domain from either webmail or using a email client. From my other servers I can send to this domain just fine but this particular server wont send mail to this domain, I am seeing the following in exim_mainlog (mail.domain.net and domain.net are the remote domain the senders are sending to):

2020-03-25 09:09:17 1jH5mW-0069XR-Us DANE attempt failed; TLS connection to mail.domain.net [xx.xx.xx.xx]: (SSL_connect): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2020-03-25 09:09:17 1jH5mW-0069XR-Us == [email protected] R=lookuphost T=remote_smtp defer (-37) H=mail.domain.net [xx.xx.xx.xx]: TLS session: (SSL_connect): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It looks to me like exim is trying to connect using TLS and failing to verify the remote hosts cert but on my other hosts I can send mail to this domain just fine, I'm really not sure what the issue here is, all other outgoing email appears to be fine except to this domain. Unfortunately I can't really ignore this problem because the domain belongs to a local business and they get a lot of email from our customers. Any ideas?

 

[cPanelLauren]

Are you seeing this occur for one domain on this server only or any domain on this server is experiencing the issue?

In case anyone is curious DANE is DNS-Based Authentication of Named Entities and it's explained in the RFC here: RFC 7672 - SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)

The DANE protocol uses specific TLSA records to authenticate an SMTP server. I see a really interesting conversation on this here: Re: [exim] DANE(TA) doesn't work with self signed certificates but as far as I am aware cPanel does not currently have DANE support. I'd be curious to see if this issue is similar to the one referenced here: DANE error: tlsa lookup DEFER

 

[scristopher]

Are you seeing this occur for one domain on this server only or any domain on this server is experiencing the issue?

In case anyone is curious DANE is DNS-Based Authentication of Named Entities and it's explained in the RFC here: RFC 7672 - SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)

The DANE protocol uses specific TLSA records to authenticate an SMTP server. I see a really interesting conversation on this here: Re: [exim] DANE(TA) doesn't work with self signed certificates but as far as I am aware cPanel does not currently have DANE support. I'd be curious to see if this issue is similar to the one referenced here: DANE error: tlsa lookup DEFER

I'm actually only seeing this to one domain, what is odd is that I have several other cpanel servers and they can send to this domain just fine, I'm really not sure what to check on this one that might be different.

 

[scristopher]

Well I changed my nameservers and now I'm not getting any issues, that was the only thing I could find that was different between these servers and that appears to have done it.

 

[cPanelLauren]

Based on what you sent me and what is noted in that other ticket the issue looks to be a result of a failed DNSSEC configuration or check since the domain you're sending to has DNSSEC in place. Since you changed the nameservers and it's working now I'd wager that the issue is on the domain that was previously being used for the NS.

I do want to point out that the domain you're sending from does not have any mail related DNS Records that it should have to send mail. You should create an SPF and DKIM record. I confirmed it appears there is a valid PTR record in place.