Adding DNS (TLSA - Record) and match against SMTP-server public fingerprint #4040

New issue

Open

opened 2026-02-28 03:49:04 -05:00 by deekerman · 1 comment

deekerman commented 2026-02-28 03:49:04 -05:00

Owner

Copy link

Originally created by @DRieper on GitHub (Mar 17, 2025).

📑 I have found these related issues/pull requests

I realized that many smal and medium sized companies do not support DANE for their mailservers.
In fact the privacy of mail communication contains a lot of sensitive information, they are partly still vulnerable through man-in-the-middle 'downgrade attack'.

🏷️ Feature Request Type

New monitor

🔖 Feature description

Often I heard that they can not reliably monitor "DANE" and validate the TLSA DNS-record against the public-fingerprint of the SMTP servers certificate. Since some are using letsencrypt and are afraid to miss the renewal..without pinning the csr/key.

Since I love your lightweight smoth running uptime-kuma, I would suggest to expand it if possible with that feature.

I think it would already be sufficient just to enter the expected value of the TLSA record and check against openssl for the verification lines.

✔️ Solution

Example how to check it through dig:

:~$ dig +noall +answer _25._tcp.mail.protonmail.ch TLSA
_25._tcp.mail.protonmail.ch. 821 IN     TLSA    3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E
_25._tcp.mail.protonmail.ch. 821 IN     TLSA    3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1

And gathering the Information with:

openssl s_client -starttls smtp -connect mail.protonmail.ch:25 -dane_tlsa_domain mail.protonmail.ch -dane_tlsa_rrdata "3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947ACC8399E1" </dev/null 2>/dev/null

Result:

SSL handshake has read 3951 bytes and written 433 bytes
Verification: OK
Verified peername: *.protonmail.ch
DANE TLSA 3 1 1 ...8f7d10a4469a947acc8399e1 matched EE certificate at depth 0

❓ Alternatives

No response

📝 Additional Context

No response

Originally created by @DRieper on GitHub (Mar 17, 2025). ### 📑 I have found these related issues/pull requests I realized that many smal and medium sized companies do not support DANE for their mailservers. In fact the privacy of mail communication contains a lot of sensitive information, they are partly still vulnerable through man-in-the-middle 'downgrade attack'. ### 🏷️ Feature Request Type New monitor ### 🔖 Feature description Often I heard that they can not reliably monitor "DANE" and validate the TLSA DNS-record against the public-fingerprint of the SMTP servers certificate. Since some are using letsencrypt and are afraid to miss the renewal..without pinning the csr/key. Since I love your lightweight smoth running uptime-kuma, I would suggest to expand it if possible with that feature. I think it would already be sufficient just to enter the expected value of the TLSA record and check against openssl for the verification lines. ### ✔️ Solution Example how to check it through dig: ``` :~$ dig +noall +answer _25._tcp.mail.protonmail.ch TLSA _25._tcp.mail.protonmail.ch. 821 IN TLSA 3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E _25._tcp.mail.protonmail.ch. 821 IN TLSA 3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1 ``` And gathering the Information with: ``` openssl s_client -starttls smtp -connect mail.protonmail.ch:25 -dane_tlsa_domain mail.protonmail.ch -dane_tlsa_rrdata "3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947ACC8399E1" </dev/null 2>/dev/null ``` Result: ``` SSL handshake has read 3951 bytes and written 433 bytes Verification: OK Verified peername: *.protonmail.ch DANE TLSA 3 1 1 ...8f7d10a4469a947acc8399e1 matched EE certificate at depth 0 ``` ### ❓ Alternatives _No response_ ### 📝 Additional Context _No response_

deekerman added the

feature-request

A:monitor

type:enhance-existing

labels 2026-02-28 03:49:04 -05:00

deekerman commented 2026-02-28 03:49:08 -05:00

Author

Owner

Copy link

@CommanderStorm commented on GitHub (Mar 24, 2025):

I have no idea who/what dane is, but we would love a PR assuming this is in the DNS spec.

The dns monitor is defined here:

• Backend: https://github.com/louislam/uptime-kuma/blob/master/server/monitor-types/dns.js
• Frontend: https://github.com/louislam/uptime-kuma/blob/master/src/pages/EditMonitor.vue

For things like this, I would expect a testcase as well to ensure that we don't regress.

@CommanderStorm commented on GitHub (Mar 24, 2025): I have no idea who/what dane is, but we would love a PR assuming this is in the DNS spec. The dns monitor is defined here: - Backend: https://github.com/louislam/uptime-kuma/blob/master/server/monitor-types/dns.js - Frontend: https://github.com/louislam/uptime-kuma/blob/master/src/pages/EditMonitor.vue For things like this, I would expect a testcase as well to ensure that we don't regress.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

npm-update

3.0.X

dev-better-auth

copilot/remove-password-complexity-requirements

2.2.X

copilot/sub-pr-6355

1.23.X

api-via-socketio-client

2.1.3

2.1.2

2.1.1

2.1.0

2.1.0-beta.3

2.1.0-beta.2

2.1.0-beta.1

2.1.0-beta.0

2.0.2

2.0.1

1.23.17

2.0.0

2.0.0-beta.4

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.2-temp

2.0.0-beta.1

1.23.16

2.0.0-beta.0

1.23.15

1.23.14

1.23.13

1.23.12

1.23.11

1.23.10

1.23.9

1.23.8

1.23.7

1.23.6

1.23.5

1.23.5-beta.0

1.23.4

1.23.3

1.23.2

1.23.1

1.23.0

1.23.0-beta.1

1.23.0-beta.0

1.22.1

1.22.0

1.22.0-beta.0

1.21.3

1.21.2

1.21.2-beta.0

1.21.1

1.21.0

1.21.0-beta.1

1.21.0-beta.0

1.20.2

1.20.1

1.20.0

1.20.0-beta.0

1.19.6

1.19.5

1.19.4

1.19.3

1.19.2

1.19.1

1.19.0

1.19.0-beta.2

1.19.0-beta.1

1.19.0-beta.0

1.18.5

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-beta.0

1.17.1

1.17.0

1.17.0-beta.1

1.17.0-beta.0

1.16.1

1.16.0

1.16.0-beta.0

1.15.1

1.15.0

1.15.0-beta.1

1.14.1

1.15.0-beta.0

1.14.0

1.14.0-beta.2

1.13.2

1.14.0-beta.1

1.14.0-beta.0

1.13.1

1.13.0

1.13.0-beta.2

1.13.0-beta.1

1.13.0-beta.0

1.12.1

1.12.0

1.11.4

1.11.3

1.11.2

1.11.1

1.11.0

1.10.2

1.10.1

1.10.0

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.10

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

Labels

Clear labels   

A:accessibility

  

A:api

  

A:cert-expiry

  

A:core

  

A:dashboard

  

A:deployment

  

A:documentation

  

A:domain expiry

  

A:incidents

  

A:maintenance

  

A:metrics

  

A:monitor

  

A:notifications

  

A:reports

  

A:settings

  

A:status-page

  

A:ui/ux

  

A:user-management

  

Stale

  

ai-slop

  

blocked

  

blocked-upstream

  

bug

  

cannot-reproduce

  

dependencies

  

discussion

  

duplicate

  

feature-request

  

feature-request

  

good first issue

  

hacktoberfest

  

help

  

help wanted

  

house keeping

  

invalid

  

invalid-format

  

invalid-format

  

question

  

releaseblocker 🚨

  

security

  

spam

  

type:enhance-existing

  

type:new

  

wontfix

No labels

A:accessibility

A:api

A:cert-expiry

A:core

A:dashboard

A:deployment

A:documentation

A:domain expiry

A:incidents

A:maintenance

A:metrics

A:monitor

A:notifications

A:reports

A:settings

A:status-page

A:ui/ux

A:user-management

Stale

ai-slop

blocked

blocked-upstream

bug

cannot-reproduce

dependencies

discussion

duplicate

feature-request

feature-request

good first issue

hacktoberfest

help

help wanted

house keeping

invalid

invalid-format

invalid-format

question

releaseblocker 🚨

security

spam

type:enhance-existing

type:new

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/uptime-kuma#4040

No description provided.