DANE TLSA Validation Failure for MX Host – Certificate CN Mismatch (Virtualmin + Postfix + Let's Encrypt)

kladizkov · May 13, 2025, 8:06am

Hello everyone,

I’m running a mail server using Virtualmin with the following setup:

Primary domain: mydomain.com
MX record: mail.mydomain.com
DNSSEC: Enabled and functioning correctly
TLSA records: Configured and published for mail.mydomain.com
Postfix certificate: Let’s Encrypt multi-domain certificate for both mydomain.com and mail.mydomain.com

However, I’m facing an issue where external DANE validators report the following error:

"The DANE TLSA records of these MX hosts fail to validate their certificate chains. Inbound email may be delayed or not delivered."

Upon further inspection, I noticed that when connecting to port 25 (SMTP), the certificate served by Postfix presents mydomain.com as the Common Name (CN), even though mail.mydomain.com is listed as a Subject Alternative Name (SAN) in the certificate.

It appears that the DANE TLSA check is failing due to a mismatch between the MX hostname (mail.mydomain.com) and the CN reported in the certificate, even though the SAN includes it.

My Questions:

Is it mandatory for the certificate’s CN to exactly match the MX hostname (mail.mydomain.com) for DANE to validate correctly, even if it’s listed in the SAN?

Is there a way to configure Postfix (or Virtualmin) to explicitly serve mail.mydomain.com as the CN during the TLS handshake?

Has anyone resolved a similar DANE validation issue in a Virtualmin setup with Let’s Encrypt certificates?

Appreciate any insights or guidance on resolving this issue. Thank you!

SYSTEM INFORMATION
OS type and version	Ubuntu 24 LTS
Webmin version	2.303
Virtualmin version	7.30.8
Postfix version	3.8.6

calport · May 13, 2025, 11:36am

Yes. You can configure Virtualmin to explicitly serve the SSL certificate for the mail subdomain by explicitly getting Let’s Encrypt to explicitly give you only that certificate for the virtual server.

Don’t ask Let’s Encrypt to give you a multi-domain certificate but request a single domain one - for your mail subdomain only. Will this cause the website on your domain to lose its SSL certificate? Yes, it will.

kladizkov · May 20, 2025, 1:18pm

To address the TLSA validation issue, I’m considering creating a separate Virtualmin virtual server for mail.mydomain.com, solely to obtain a dedicated Let’s Encrypt SSL certificate for the mail subdomain. The plan is to then use this certificate to configure Postfix.

Would this approach work as intended for DANE/TLSA validation without affecting the existing website SSL setup?

calport · May 20, 2025, 4:39pm

The mail subdomain is a reserved subdomain. You aren’t supposed to create a virtual server for the mail subdomain.

lawk · May 20, 2025, 8:26pm

Maybe it is just DNS catching up.

For DANE you need DNSSEC setup. Locally and and registrar.

Set it up and then request new cert.

maybe restart bind and then also clear local dns cache.

then wait, sometimes takes a day for all to catch up.

I use wildcard cert for all *.mydomain mx works fine.

shoulders · May 20, 2025, 10:25pm

Was there a bug where the TLSA record was not getting updated and it has to be done manually every 30 days

lawk · May 21, 2025, 8:09am

not a bug there is no TLSA rollover yet, so when it is updated, there is a short while where there is a mismatch because of DNS.

In upcoming virtualmin there is a fix for rollover scheme