ANN: DANE testing (sink at dane.sys4.de)
ietf-dane at dukhovni.org
Thu Apr 9 02:04:00 CEST 2015
On Thu, Apr 09, 2015 at 01:14:19AM +0200, Benny Pedersen wrote:
> >If you need a DNSSEC-enabled destination to test your DANE setup, send a
> >message to sink at dane.sys4.de. It will accept your message and discard it.
> >Check your log for a line "to dane.sys4.de". If it reads "Verified TLS
> >connection" (Postfix) your DANE setup works properly.
This tests outbound DANE settings in the Postfix SMTP client.
> posttls-finger example.org
This tests inbound DANE TLSA records in the Postfix SMTP server.
> >Apr 8 19:52:31 mail postfix/smtp: Verified TLS connection
> >established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with
> >cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
These are Postfix SMTP client settings.
> from then on just use posttls-finger without any options
> posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration
of remote domains, not the client settings of the local MTA which
it mostly does not use. (It does rely on the same working resolver).
More information about the dane-users