Postfix not accepting DANE secured peer
Wolfgang Rosenauer
wolfgang.rosenauer at an-netz.de
Fri Jan 30 09:23:20 CET 2015
Am 30.01.2015 um 09:10 schrieb Viktor Dukhovni:
> On Fri, Jan 30, 2015 at 08:54:48AM +0100, Wolfgang Rosenauer wrote:
>
> $ postconf mail_version
> mail_version = 3.0-20150129
>
> $ posttls-finger -c -Lsummary tismail.net
> posttls-finger: Verified TLS connection established to mail.tismail.net[185.27.180.68]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
ok, so this confirms that the server is more or less set up correctly.
thanks.
> (By the way tismail2.net is broken, publishes TLSA RRs, but
> does not offer STARTTLS).
Yes, it's not yet in production and Postfix config is missing there.
Once I got the first one (what apparently is fine) up, I'll complete the
other one.
> Your DNS resolver is likely returning non-DNSSEC results. Take
> this question to the Postfix-users list.
I will.
Interestingly I see "Verified" to other targets (like mailbox.org and
others).
In any case thanks for the check and I'll report to the Postfix list.
Wolfgang
More information about the dane-users
mailing list