Server Tester

Checking unixadm.org:

Test #HostIPStatusTest Description (§ Section)
DNSSEC DNS MX lookup unixadm.org = 10 mx.unixadm.org.
406mx.unixadm.org.PASSEDAll DANE-related tests must pass for a SMTP host
Scanning DANE tests for MX host mx.unixadm.org.
407unixadm.orgPASSED "Domains that want secure inbound mail delivery need to ensure that all their SMTP servers and MX records are configured accordingly." Specifically, MX records that do not have DANE protection should not preempt MX servers that have DANE protection. (§2.2.1)
Highest priority MX server that is operational must be DANE protected
Conclusion: unixadm.org can receive DANE-secured EMAIL
Detail for MX host mx.unixadm.org.:
Test #HostIPStatusTest Description (§ Section)
DNSSEC DNS CNAME lookup _25._tcp.mx.unixadm.org. = _tlsa.wildcard.unixadm.org.
102PASSEDif at any stage of recursive expansion an "insecure" CNAME record is encountered, then it and all subsequent results (in particular, the final result) MUST be considered "insecure" regardless of whether any earlier CNAME records leading to the "insecure" record were "secure". (§2.1.3)
Expanding CNAME _25._tcp.mx.unixadm.org. to _tlsa.wildcard.unixadm.org.
DNSSEC DNS TLSA lookup _tlsa.wildcard.unixadm.org. = 3 1 1 3D0801DCA9E1A23AB56C1608555CEB4410071F5ABE8BC128BAEEEDCD950F1D10
DNSSEC DNS TLSA lookup _tlsa.wildcard.unixadm.org. = 3 1 1 8D8A17C0E4A936BD683C52C45B28B876FEEADD3CF1A47A23C2F6317AC3AF15A3
103mx.unixadm.org.PASSEDService hostname must have matching TLSA record
Resolving TLSA records for hostname '_25._tcp.mx.unixadm.org.' and hostname _25._tcp.unixadm.org
104mx.unixadm.org.PASSEDTLSA records must be secured by DNSSEC
Resolving TLSA records for hostname '_25._tcp.mx.unixadm.org.' and hostname _25._tcp.unixadm.org
DNSSEC DNS A lookup mx.unixadm.org. = 176.9.96.198
201mx.unixadm.org.176.9.96.198PASSEDServer must have working SMTP server on IP address
Checking for SMTP server on IPaddr 176.9.96.198
202mx.unixadm.org.176.9.96.198PASSED"Any connection to the MTA MUST employ TLS authentication (SMTP Server must offer STARTTLS)" (§2.2)
Checking for STARTTLS
203mx.unixadm.org.176.9.96.198PASSED"Any connection to the MTA MUST employ TLS authentication (SMTP Server must enter TLS mode)" (§2.2)
Executing STARTTLS
204mx.unixadm.org.176.9.96.198PASSED"Any connection to the MTA MUST employ TLS authentication (SMTP Server must work after TLS entered)" (§2.2)
Executing QUIT
205mx.unixadm.org.176.9.96.198PASSEDServer must have End Entity Certificate
Fetching EE Certificate for mx.unixadm.org. from 176.9.96.198 port 25 via smtp
Checking TLSA record 3 1 1 8D8A17C0E4A936BD683C52C45B28B876FEEADD3CF1A47A23C2F6317AC3AF15A3
303mx.unixadm.org.176.9.96.198PASSEDTLSA Certificate Usage must be in the range 0..3, Selector in the range 0..1, and matching type in the range 0..2
Checking TLSA Parameters: 3 1 1
305mx.unixadm.org.176.9.96.198PASSEDInternet-Draft RECOMMEND[s] the use of "DANE-EE(3) SPKI(1) SHA2-256(1)" with "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records as a second choice, depending on site needs. (§3.1)
Checking TLSA Parameters against Internet-Draft Recommendation: 3 1 1
301mx.unixadm.org.176.9.96.198PASSED"TLSA records for port 25 SMTP service used by client MTAs SHOULD NOT include TLSA RRs with certificate usage PKIX-TA(0) or PKIX-EE(1)" (§3.1.3)
Checking certificate usage: 3
mx.unixadm.org.176.9.96.198PASSED TLSA record CU=3 matches EE certificate
401PASSEDAt least one TLSA record must have a certificate usage and associated data that validates at least one EE cetficiate
Verifying TLSA record against certificate chain
End of TLSA record test
402mx.unixadm.org.176.9.96.198PASSEDThere must be at least 1 usable TLSA record for a host name
Counting usable TLSA records for MX host mx.unixadm.org. ipaddr 176.9.96.198. Total found: 1
403mx.unixadm.org.PASSEDAll IP addresses for a host that is TLSA protected must TLSA verify
Validating TLSA records for 1 out of 1 IP addresses found for host mx.unixadm.org.
405PASSEDAll DNS lookups must be secured by DNSSEC
Was DNSSEC present for all tests on which DNSSEC was relied?
406mx.unixadm.org.PASSEDAll DANE-related tests must pass for a SMTP host
Scanning DANE tests for MX host mx.unixadm.org.
Using OpenSSL Version 1.0.2h 3 May 2016

Compare with dane.sys4.de

Enter a DOMAIN to test an SMTP server.
Enter a URL to test HTTPS server.


Or try some of these test points:

Other DANE SMTP checkers: