DANE attempt failed - certificate verify failed for outgoing mail?

scristopher

• March 25, 2020 09:30

Having a odd issue sending mail to a single domain from either webmail or using a email client. From my other servers I can send to this domain just fine but this particular server wont send mail to this domain, I am seeing the following in exim_mainlog (mail.domain.net and domain.net are the remote domain the senders are sending to): 2020-03-25 09:09:17 1jH5mW-0069XR-Us DANE attempt failed; TLS connection to mail.domain.net [xx.xx.xx.xx]: (SSL_connect): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2020-03-25 09:09:17 1jH5mW-0069XR-Us == user@domain.net R=lookuphost T=remote_smtp defer (-37) H=mail.domain.net [xx.xx.xx.xx]: TLS session: (SSL_connect): error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It looks to me like exim is trying to connect using TLS and failing to verify the remote hosts cert but on my other hosts I can send mail to this domain just fine, I'm really not sure what the issue here is, all other outgoing email appears to be fine except to this domain. Unfortunately I can't really ignore this problem because the domain belongs to a local business and they get a lot of email from our customers. Any ideas?

• 

  cPanelLauren

  • March 25, 2020 17:32

  Are you seeing this occur for one domain on this server only or any domain on this server is experiencing the issue? In case anyone is curious DANE is DNS-Based Authentication of Named Entities and it's explained in the RFC here: but as far as I am aware cPanel does not currently have DANE support. I'd be curious to see if this issue is similar to the one referenced here:

  0
• 

  scristopher

  • March 26, 2020 12:13

  Are you seeing this occur for one domain on this server only or any domain on this server is experiencing the issue? In case anyone is curious DANE is DNS-Based Authentication of Named Entities and it's explained in the RFC here: but as far as I am aware cPanel does not currently have DANE support. I'd be curious to see if this issue is similar to the one referenced here:

  0
• 

  scristopher

  • March 26, 2020 13:23

  Well I changed my nameservers and now I'm not getting any issues, that was the only thing I could find that was different between these servers and that appears to have done it.

  0
• 

  cPanelLauren

  • March 26, 2020 13:32

  Based on what you sent me and what is noted in that other ticket the issue looks to be a result of a failed DNSSEC configuration or check since the domain you're sending to has DNSSEC in place. Since you changed the nameservers and it's working now I'd wager that the issue is on the domain that was previously being used for the NS. I do want to point out that the domain you're sending from does not have any mail related DNS Records that it should have to send mail. You should create an SPF and DKIM record. I confirmed it appears there is a valid PTR record in place.

  0

Please sign in to leave a comment.