Postfix not accepting DANE secured peer
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jan 30 09:10:15 CET 2015
On Fri, Jan 30, 2015 at 08:54:48AM +0100, Wolfgang Rosenauer wrote:
> Anyway testing sending from one of my already enabled Postfix systems to
> the new one I only get "Anonymous TLS connection established" while the
> DANE validator https://dane.sys4.de/smtp reports everything green for
> the target.
>
> Any ideas? (target is mail.tismail.net)
$ postconf mail_version
mail_version = 3.0-20150129
$ posttls-finger -c -Lsummary tismail.net
posttls-finger: Verified TLS connection established to mail.tismail.net[185.27.180.68]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
(By the way tismail2.net is broken, publishes TLSA RRs, but
does not offer STARTTLS).
Your DNS resolver is likely returning non-DNSSEC results. Take
this question to the Postfix-users list.
* Your smtp(8) delivery agent may be chrooted, and the resolv.conf
file in the chroot jail may differ from the one in /etc, in
any case one or the other may not be pointing at a loopback
DNSSEC validating resolver.
* Your Postfix configuration settings may be wrong.
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
* Your Postfix version may not be 2.11.3 or later.
* Your C library may not return the "AD" bit in DNSSEC
replies (OpenBSD seems to have this problem).
When asking questions on the Postfix-users list, don't forget to
include all relevant logging, your "postconf -n" output (not mangled
by HTML email and without rewrapping of lines), all relevant master.cf
entries, the resolv.conf file content in and out of chroot, relevant
TLS policy table entries, the Postfix version, the OS version, ...
Don't provide needlessly verbose logs, just the basics with TLS
loglevel=1.
http://www.postfix.org/DEBUG_README.html#mail
--
Viktor.
More information about the dane-users
mailing list