New intermediate certificates from Let’s Encrypt may lead to rejected e-mails. The error is not large, but shows basic problems.
In the course of the long announced certificate change at the free certification authority Let’s Encrypt, the team has started to use a new intermediate certificate. This shouldn’t really cause any problems yet, since the big break is not planned until next year, as the team itself points out. However, as the Exim developer Phil Pennock now writes, the change may still cause problems with mail servers under certain circumstances.
The announcement says: “If you are using DANE to pinned your certificates (…) and have not yet added support for the new intermediate certificates, you now have a problem: As soon as your systems renew the certificates, other e-mail systems verifying DANE will refuse connections to your mail server because an unauthorized certification authority is used”.
The idea behind Let’s Encrypt and the underlying ACME protocol is to automate the renewal of the certificates in use. If this happens as in the case described here, but without adapting the further technical information to it, no more e-mails will be delivered.
With the help of DANE, domain owners and server operators can store certificates and their public keys in a DNS resource record. In this way, they should be able to determine themselves which certificates are trusted for the connection and clients can check this. DANE is based on DNSSEC. In a commentary five years ago Golem.de described the many problems with DNSSEC and also DANE in more detail and also explained details of the protocols.
DANE is hardly used
In practice DANE has hardly been able to assert itself with the large mail hosters. Although the protocol has gained a certain spread in Germany, for example GMX, Web.de and smaller providers such as Posteo or Mailbox.org support the protocol. Internationally, however, DANE is meaningless and use in the browser is practically dead. The error in connection with the certificate change should therefore only have a comparatively small impact and probably affects mainly those who operate their own e-mail servers and use DANE.
The current warning regarding Exim’s new intermediate certificates, however, again shows that the ideas for additional protection of TLS certificates have some practical problems. Pinning the public key of a certificate was pursued as a similar idea to DANE in browsers using HPKP. The technique was removed after a few years, however, as this too may have led to web servers becoming unavailable – analogous to the problem described for e-mail servers. Meanwhile, the major mail server operators are using the MTA-STS standard, which is supposed to secure the encrypted connections between them.
Read the original article here.