Postfix not accepting DANE secured peer

Viktor Dukhovni ietf-dane at
Fri Jan 30 09:10:15 CET 2015

On Fri, Jan 30, 2015 at 08:54:48AM +0100, Wolfgang Rosenauer wrote:

> Anyway testing sending from one of my already enabled Postfix systems to
> the new one I only get "Anonymous TLS connection established" while the
> DANE validator reports everything green for
> the target.
> Any ideas? (target is

    $ postconf mail_version
    mail_version = 3.0-20150129

    $ posttls-finger -c -Lsummary
    posttls-finger: Verified TLS connection established to[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

    (By the way is broken, publishes TLSA RRs, but
     does not offer STARTTLS).

Your DNS resolver is likely returning non-DNSSEC results.  Take
this question to the Postfix-users list.

    * Your smtp(8) delivery agent may be chrooted, and the resolv.conf
      file in the chroot jail may differ from the one in /etc, in
      any case one or the other may not be pointing at a loopback
      DNSSEC validating resolver.

    * Your Postfix configuration settings may be wrong.

	smtp_dns_support_level = dnssec
	smtp_tls_security_level = dane

    * Your Postfix version may not be 2.11.3 or later.

    * Your C library may not return the "AD" bit in DNSSEC
      replies (OpenBSD seems to have this problem).

When asking questions on the Postfix-users list, don't forget to
include all relevant logging, your "postconf -n" output (not mangled
by HTML email and without rewrapping of lines), all relevant
entries, the resolv.conf file content in and out of chroot, relevant
TLS policy table entries, the Postfix version, the OS version, ...

Don't provide needlessly verbose logs, just the basics with TLS


More information about the dane-users mailing list