Postfix-Frage

Frank Fiene ffiene at veka.com
Thu Jan 15 15:46:13 CET 2015 

Sorry about the confusion.

In Patricks and Carstens PDF file there are two examples.

I think they describe outgoing connections, right?
There are the keywords „Verified“ and „Untrusted“, so far so good.

But what is about incoming connections?
There seems to be no parameter like smtpd_tls_security_level or smtpd_dns_support_level.

Is it not possible to verify incoming connections which in my opinion is more important than outgoing?

And in my log file there are only anonymous TLS connections which means: no CA-signed certificate, right?


Frank

> Am 15.01.2015 um 15:25 schrieb Frank Fiene <ffiene at veka.com>:
> 
> 
>> Am 15.01.2015 um 14:10 schrieb Michael Schwartzkopff <ms at sys4.de <mailto:ms at sys4.de>>:
>> 
>> Am Donnerstag, 15. Januar 2015, 13:46:39 schrieb Frank Fiene:
>>> The „da" flag is missing!?
>> 
>> „ad"
> 
> Sigh, Apple ...
> 
>>> 
>>>> Am 15.01.2015 um 13:06 schrieb Patrick Ben Koetter <p at sys4.de <mailto:p at sys4.de>>:
>>>> 
>>>> dig +dnssec dane.sys4.de <http://dane.sys4.de/> <http://dane.sys4.de/ <http://dane.sys4.de/>>
>>> 
>>> root at mail:/home/ffiene# dig +dnssec dane.sys4.de <http://dane.sys4.de/> +m
>>> 
>>> ; <<>> DiG 9.9.5-3-Ubuntu <<>> +dnssec dane.sys4.de <http://dane.sys4.de/> +m
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53974
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
>> 
>> 
>> Your resolver gets all the dnssec relevant RR of the domain, but does not 
>> check if the RRSIG are really correct. Please check the same with a dnssec 
>> enabled resolver. 8.8.8.8 for instance does check the signatures.
>> 
>> dig @8.8.8.8 +dnssec sys4.de <http://sys4.de/>
>> 
>> you will see, that the "ad" flag ist present in the answer.
>> 
>> Next step: Install a dnssec aware resolver.
> 
> On the other mailserver with no local DNS server (the other mailserver has a local DNS server which forwards to the same as this one):
> 
> root at mail1:/etc/postfix# dig +dnssec dane.sys4.de <http://dane.sys4.de/> +m
> 
> ; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> +dnssec dane.sys4.de <http://dane.sys4.de/> +m
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42645
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> 
> But still anonymous TLS connections only!
> 
> 
> 
> Frank
> 
>> Mit freundlichen Grüßen,
>> 
>> Michael Schwartzkopff
>> 
>> -- 
>> [*] sys4 AG
>> 
>> http://sys4.de <http://sys4.de/>, +49 (89) 30 90 46 64, +49 (162) 165 0044
>> Franziskanerstraße 15, 81669 München
>> 
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
>> Aufsichtsratsvorsitzender: Florian Kirstein
> 
> Viele Grüße!
> i.A. Frank Fiene
> -- 
> Frank Fiene
> IT-Security Manager VEKA Group
> 
> Fon: +49 2526 29-6200
> Fax: +49 2526 29-16-6200
> mailto: ffiene at veka.com <mailto:ffiene at veka.com>
> http://www.veka.com <http://www.veka.com/>
> 
> PGP-ID: 62112A51
> PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
> Threema: VZK5NDWW
> 
> VEKA AG
> Dieselstr. 8
> 48324 Sendenhorst
> Deutschland/Germany
> 
> Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
> Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
> Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
> HRB 8282 AG Münster/District Court of Münster
> 

Viele Grüße!
i.A. Frank Fiene
-- 
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150115/8b2b5255/attachment-0001.html>

More information about the dane-users mailing list