Some mail servers (MX hosts) have associated TLSA records with certificate usage 2 (DANE-TA) that match the just retired Let's Encrypt issuer CA ("X3") and/or its emergency backup "X4". All Let's Encrypt users publishing DANE-TA(2) TLSA records need to update their TLSA records to publish records that match the current intermediate issuer CAs.
In more detail, there are multiple Let's Encrypt issuer certificates that may be used in automated certificate renewals: two primary certificates ("R3" and "E1") and their emergency backups ("R4" and "E2"). Thus, SMTP server operators using DANE-TA(2) with Let's Encrypt certificates must publish the following list of TLSA records (possibly in addition to "3 1 1" records matching the server public key) for each of their MX hosts in order to prevent delivery failures:
CA tag | Recommended TLSA Records to match Let's Encrypt issuer CAs |
---|---|
R3 | _25._tcp.each.mx.host. IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d |
R4 | _25._tcp.each.mx.host. IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 |
E1 | _25._tcp.each.mx.host. IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 |
E2 | _25._tcp.each.mx.host. IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 |
The "X3" and "X4" hashes below are no longer needed, and SHOULD NOT be used. The reason that there are pairs of "2 0 1" and "2 0 2" records is that the X3 and X4 CAs were initially signed by DST and later by ISRG. All certificates issued via "X3" have long expired, and all replacements are using "R3" or "E1".
CA tag | TLSA Records of retired CAs to avoid |
---|---|
X3 | 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 |
X3 | 2 1 2 774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E334D7CD6 ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82FCC2A9146629B140 |
X3 | 2 0 1 731D3D9CFAA061487A1D71445A42F67DF0AFCA2A6C2D2F98FF7B3CE112B1F568 |
X3 | 2 0 1 25847D668EB4F04FDD40B12B6B0740C567DA7D024308EB6C2C96FE41D9DE218D |
X3 | 2 0 2 5EC5B0783C6E667E0965DF772943A06326768DE0F75DC0BD2FE378F02CCCA7D5 6C987656174CBE158CC29ECD763F8BDA3454332CC7D47FB934691409C5FB8686 |
X3 | 2 0 2 2E1E12DACB350E69317A7F37D769F46F16F437CF8D392319279C93515E5600BA ED3D3ACD5DC83B673E8C60CF7FBA0DCE00A4D162A3B966A3EBF72487C376FCA0 |
X4 | 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B |
X4 | 2 1 2 A0F5D1333BC90BCEA0B0B5F401160B6E7F28A1256BC5B5D65F04B06B0BB0C962 70AA81D8E2726394D385BF3E9EE46EB4AB7548C782D5688CC16D0CDFFEFB8594 |
X4 | 2 0 1 5DE9152BED31FA0515DD1FC746133F1327562EF72A84CF2D2403E748A604D0D4 |
X4 | 2 0 1 A74B0C32B65B95FE2C4F8F098947A68B695033BED0B51DD8B984ECAE89571BB6 |
X4 | 2 0 2 74DDAD9F8CDFA0FE6F6B70301B557A63A58B87FC2C17FAE0F65E47D141226C06 2A74FA14861DC47A720BD8699B99091A06BD695CDDE51222F837B9DECFC270C5 |
X4 | 2 0 2 964468A5C685F305AA5865C049D814770B844DF2CF7645F9A4AFAF42957E334B CF1F290BABAAFE020C4E9A68C5689D570E37F11114FFD676C95B17B3D768B932 |
MX hosts whose TLSA records include only the "X3" and/or "X4" digest are no longer able to receive email from sending systems that perform DANE validation.
Also, the TLSA RRsets of some MX hosts list the hashes of R3 and/or R4 issuer certificates issued by DST that expired on 2021-09-29. These hashes should not be used, and the expired certificate in question should not appear in your server certificate chains. The correct R3 and R4 certificates to use are signed by ISRG.
Expired DST-issued R3/R4 CA hashes | 2 0 1 730c1bdcd85f57ce5dc0bba733e5f1ba5a925b2a771d640a26f7a454224dad3b | tr>2 0 2 dd35f36f0db81b56a1cc9f734e4258d66125530fa8cfaf6b5efe79d517318302 4ebc78543b69bdd89fde3724816a035a20cbdcedb5e44dd2b746ab9b0b304ccd |
---|
2 0 1 5a8f16fda448d783481cca57a2428d174dad8c60943ceb28f661ae31fd39a5fa |
2 0 2 5df0164684f2640bedcdbe82abc7335a12389974882fb120afe5f85f1cf1db2b 071e81a17adca47af1050b6bbb39afd1e09c33b0f2347b9122758f3ad2036d1a |
Please avoid issuer TLSA records with selector Cert(0), i.e. "2 0 1" and "2 0 2". These are much more fragile, and worse, "R3" and "R4" are cross-signed by two different issuers, so there are two differnt full cert hashes for R3 and R4, but just one underlying public key and corresponding "2 1 1" hash. The same cross-signing issue can arise with the other issuer CAs at some point in the future.
The table below lists MX hosts that are still publishing TLSA records matching the retired "X3" or "X4" CAs or the outdated R3 or R4 certificates issued by DST. It is sorted to list hosts that serve the most domains first.
signed domains | host name |
---|---|
76 | mail.seolando.de |
47 | mx2.vos-systems.net |
47 | mx3.vos-systems.net |
47 | mx4.vos-systems.net |
37 | mx1.vos-systems.net |
28 | hosting01.spotler.net |
24 | twaddle.saltant.net |
23 | mailproxy.nynex.de |
22 | mail.laesche.net |
22 | mail.sportvereine.online |
22 | mx1.mxspamfilter.de |
21 | mx2.mxspamfilter.de |
20 | huaxal.midgard-muenchen.de |
20 | mail.laesche.eu |
20 | mail.twe.net |
20 | mx1.vforge.net |
20 | mx2.vforge.net |
20 | mx3.vforge.net |
18 | clara.zenti.cloud |
18 | mail.js86.de |
18 | smtp.astrath.net |
17 | hosting03.spotler.net |
16 | a.mx.mb-net.net |
16 | b.mx.mb-net.net |
16 | c.mx.mb-net.net |
16 | d.mx.mb-net.net |
16 | mail.actionhosting.co.uk |
16 | mail.saftware.de |
16 | mx2.hangmans-stuff.de |
16 | www.hangmans-stuff.de |
15 | artemis.strebsjig.net |
14 | mx1.elvikingo.de |
14 | mx1.privatemail.dk |
14 | mx2.privatemail.dk |
13 | mail.mydanner.de |
12 | helium.bklosr.de |
12 | mail.twwd.de |
12 | mx2.slxh.eu |
11 | mail.fortmail.de |
11 | mail.profidea.cz |
10 | mail.level-10.net |
10 | mail.newday.host |
9 | mail.chas.se |
9 | mail.itzer.de |
8 | mail.hessis.eu |
8 | mail.little-brother.eu |
8 | mail.petabits.de |
8 | smtp.krvtz.net |
7 | bovender.de |
6 | celestia.ferretporn.se |
6 | mail-02.own-mail.eu |
6 | mail.abdene.dk |
6 | mail.efflam.net |
6 | mail.ferretporn.se |
6 | mail.schem.me |
6 | mx.casanapoli.eu |
6 | server.isthilfreich.de |
5 | postbox.idefix.net |
5 | smtp.meekorah.net |
4 | albigro.eu |
4 | hoedown.de |
4 | mail.delorus.de |
4 | mail.didas.nl |
4 | mail.kdv-fh-bayern.de |
4 | mail.prauscher.de |
4 | mail.region46.de |
4 | mail.rkfomh.net |
4 | mail1.apahlevan.org |
4 | mail1.french-collection.ca |
4 | mail1.jduprat.net |
4 | mail1.judoatlas.net |
4 | mail1.kdv-fh-bayern.de |
4 | mail1.teiteia.net |
4 | mail1.zillner.it |
4 | mail2.apahlevan.org |
4 | mail2.didas.nl |
4 | mail2.french-collection.ca |
4 | mail2.jduprat.net |
4 | mail2.judoatlas.net |
4 | mail2.kdv-fh-bayern.de |
4 | mail2.teiteia.net |
4 | mx.kasteleiner.net |
4 | mx1.donotconnect.de |
4 | mx1.sldev.ovh |
4 | mx2.donotconnect.de |
4 | mx2.sldev.ovh |
4 | oniz.s-up.net |
4 | polaris.svanheule.net |
4 | rz2.siegnetz.de |
4 | smtp.delaat.net |
4 | sternschnuppe.bofh-noc.de |
4 | theos.kyriasis.com |
4 | thylacine3.cfaerber.name |
3 | email.anzuenden.jetzt |
3 | jonaswitmer.ch |
3 | m41l3r.webfoersterei.de |
3 | mx1.mksec.de |
3 | positron.dckd.nl |
3 | vps01.pamp.no |
2 | delorus.de |
2 | frontend.mail.faelix.net |
2 | hal.ws-team.de |
2 | hummus.exim.org |
2 | mail.fls-wiesbaden.de |
2 | mail.genano.de |
2 | mail.inty.se |
2 | mail.itnet33.ru |
2 | mail.knuthildebrandt.de |
2 | mail.ls-srv.de |
2 | mail.metalabs.de |
2 | mail.mindcode.de |
2 | mail.petg.cz |
2 | mail.pleijster.nl |
2 | mail.qdaniel.de |
2 | mail.reisingerfamily.net |
2 | mail.tpmkranz.org |
2 | mail145.server.simon-mueller.de |
2 | metso.hack.fi |
2 | mx.benny.de |
2 | mx.qsdf.org |
2 | mx.r2w.tech |
2 | mx.sportvereine.online |
2 | mx.techthisout.de |
2 | mx1.loos.net |
2 | mx3.loos.net |
2 | puzio.waw.pl |
2 | secondary.mail.faelix.net |
2 | server.eightyfive.net |
2 | tolstoi.wkraft.org |
1 | adblockextreme.com |
1 | adblockextreme.net |
1 | adblockextreme.org |
1 | curve.hertzkurve.de |
1 | fire.crza.de |
1 | glasgestaltung.biz |
1 | gorki.wkraft.org |
1 | hergotha.bimajority.org |
1 | jo-so.de |
1 | kolmann.at |
1 | mail.controlc.de |
1 | mail.cphpvb.net |
1 | mail.dekerkvantoen.nl |
1 | mail.digi-na.nl |
1 | mail.disgruntledcode.com |
1 | mail.dm4productions.com |
1 | mail.estroh.com |
1 | mail.fobul.net |
1 | mail.gamerangerz.de |
1 | mail.in42.de |
1 | mail.istar-link.com |
1 | mail.johannesmeyers.nl |
1 | mail.kuhmunity.space |
1 | mail.libraoptima.eu |
1 | mail.lourens.cloud |
1 | mail.lukysek.cz |
1 | mail.nobugz.eu |
1 | mail.nopanen.fi |
1 | mail.ovks.de |
1 | mail.pamp.no |
1 | mail.plevenlab.org |
1 | mail.pogoraid.nl |
1 | mail.ray-works.de |
1 | mail.rehaag.net |
1 | mail.skyonesg.net |
1 | mail.subse.eu |
1 | mail.takarosapartman.com |
1 | mail.teratorium.email |
1 | mail.uptheinter.net |
1 | mail.wyzer.cl |
1 | mail1.jan.tm |
1 | mail2.disgruntledcode.com |
1 | mx-01.nakene.com |
1 | mx.demi.cloud |
1 | mx.janisluenne.de |
1 | mx.xelerance.com |
1 | mx01.gcsfb.de |
1 | mx1.alexhaase.de |
1 | mx1.finalhosting.cz |
1 | mx1.kuhmunity.space |
1 | mx2.demi.cloud |
1 | neverwasinparis.com |
1 | nextrus.info |
1 | plesk.247guide.nl |
1 | regulus.brecht-schule.hamburg |
1 | smtp.miltonroad.net |
1 | smtp.pamp.no |
1 | smtp.picordi.fr |
1 | smtp.shelton.me |
1 | smtp2.strotmann.de |
1 | trustserv.de |
1 | vmp.nopanen.fi |
1 | vps1.kobezda.net |
1 | xn--krperwahrnehmung-mwb.de |