It appears that some naïve deployments of Mailcow have a default SMTP server private key and certificate, that is the same for all users. Since the "private key" is bundled with the software, its is not in fact "private", anyone can get a copy. Some users of Mailcow are apparently unaware of this and even publish DANE TLSA records for the underlying shared certificate:
name = mail.example.org Issuer Organization = mailcow notBefore = 2016-12-13T10:11:00Z notAfter = 2019-11-28T10:11:00Z Subject CommonName = mail.example.org Subject Organization = mailcow pkey sha256 = 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd
I don't know whether the Mailcow software has since been updated to no longer do this on new installs, but in any case, more broadly I'd like to make two suggestions:
Some example TLSA records:
qname | usage | selector | mtype | data |
---|---|---|---|---|
_25._tcp.mail.eble.com.br | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.phase8.ch | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.ptl.cloud | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.bauer.cologne | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.a3th.com | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.ingelistic.com | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.webmail.krokbv.com | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.host.mailtechies.com | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.support.storagesmash.com | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.barner-hosting.de | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.srv2.farene.de | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.xf5.de | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.judrey.eu | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mailbox.ajsrv.fr | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.sebilo.fr | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.e-corporation.info | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.beta.held.is | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.atommail.me | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.aidanpr.net | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.smtp.arrakeen.net | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.telecomstore.nl | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.ykc.nl | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.three2.one | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.ns3121353.demonsvols.ovh | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mailcow.mybreizh.ovh | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.stepanovsky.ovh | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.notoffline.se | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.ampla.tech | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mx.hkar.uk | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |
_25._tcp.mail.storemy.work | 3 | 1 | 1 | 2ec600d703259867099b63ef278e2852ee2a4f7d9a90d39c47bd22858288a3bd |