Postfix not accepting DANE secured peer

Wolfgang Rosenauer wolfgang.rosenauer at
Fri Jan 30 09:23:20 CET 2015

Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
> On Fri, Jan 30, 2015 at 08:54:48AM +0100, Wolfgang Rosenauer wrote:
>     $ postconf mail_version
>     mail_version = 3.0-20150129
>     $ posttls-finger -c -Lsummary
>     posttls-finger: Verified TLS connection established to[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

ok, so this confirms that the server is more or less set up correctly.

>     (By the way is broken, publishes TLSA RRs, but
>     does not offer STARTTLS).

Yes, it's not yet in production and Postfix config is missing there.
Once I got the first one (what apparently is fine) up, I'll complete the
other one.

> Your DNS resolver is likely returning non-DNSSEC results.  Take
> this question to the Postfix-users list.

I will.
Interestingly I see "Verified" to other targets (like and

In any case thanks for the check and I'll report to the Postfix list.


More information about the dane-users mailing list