Virtualmin does not generate TLSA record for MX

No TLSA records are generated for the host in my MX record.

I do see records with mail.<domain> even though they are not used in my zone.

Is this in error or do I not understand this correctly?

the inbound e-mail is first handled by my firewall and then handed over to virtualmin managed system

SYSTEM INFORMATION
OS type and version Debian 10
Webmin version 2.001
Virtualmin version 7.3-1 Pro
Related packages

Sad to see no reaction, regardless if it is a confirmation or rejection, of this issue.

Sorry if this is a silly question.

However due to this omission, outlook.com is rejecting to deliver mail , which is a serious breaker.

I don’t believe that’s the case. I haven’t seen outlook.com reject on lack of DNSSEC. I don’t use DNSSEC (for a variety of reasons, mostly because it doesn’t actually accomplish anything of value for security) and my mail servers are able to deliver to Microsoft servers.

What is the exact error you get? We can probably help you troubleshoot the problem.

If you really do want DNSSEC, Webmin does have support for configuring and managing DNSSEC.

That’s true. However when DNSSEC is enabled, which is the case, I have seen Outlook connections break because of TLSA record not being there for the MX record referred

If you want to use TLSA than I recommend you get an ssl cert for at least 2 years and remember when it expires.
" Whenever a certificate is renewed (with selector=0), or when a key is rotated, a new TLSA record must be published before the new certificate is installed, whilst keeping DNS propagation delays in mind."

Some useful information: How to create a DANE TLSA record with OpenSSL - Mailhardener knowledge base

I have DNSSEC enabled on Postfix and my DNS provider and I don’t use TLSA and never had any problems with Outlook connections. Perhaps something else is triggering the break. I would check my postfix logs at the time it happens to see what the problem is.

1 Like

Interesting to learn you do not use TLSA and have either DNSSEC enabled or disabled. The issue I had beginning of december may have another reason.
The thing is that when I correctly added the proper TLSA record for the host used in the MX record logs indicating issues with outlook connections disappeared.

I will remove TLSA record and actively monitor the logs and see if trouble comes back.

After I removed the TLSA version from the MX record, the troubles returned. But, after I removed the TLSA records from the domein of the troubled e-mail domains, tis solved the issue.

Outlook wants TLSA for the server in the MX record for domains with TLSA enabled. This should be taken into account when enabling TLSA for a domain.

For various domains in my management I use one MX server and thus MX record. When the destination domain is TLSA’d it is necessary to have the MX record TLSA’d too.

Removing TLSA records worked as indicated by @cyberndt and @Joe . Thanks.

Leaves me with the question why not all relevant records get a TLSA record ?