postbank.de / dslbank.de

[Andreas Schulze]

Hallo,

postbank.de is known (to me) as broken somehow. Today I noticed delivery problems to dslbank.de
That focused my attention again to that unsolved issue.

$ posttls-finger dslbank.de
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay1.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: Failed to establish session to dslbank.de via mailrelay1.bonn.postbank.de: TLSA lookup error for mailrelay1.bonn.postbank.de:25
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.mailrelay2.bonn.postbank.de type=TLSA: Host not found, try again
posttls-finger: Failed to establish session to dslbank.de via mailrelay2.bonn.postbank.de: TLSA lookup error for mailrelay2.bonn.postbank.de:25

$ postconf mail_version
mail_version = 3.0.3

$ postconf smtp_tls_security_level
smtp_tls_security_level = dane

$ dig _25._tcp.mailrelay1.bonn.postbank.de tlsa

...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20811
;_25._tcp.mailrelay1.bonn.postbank.de. IN TLSA
...

-> SERVFAIL is the problem here.

$ which_resolver_do_i_use
unbound-1.5.x @ localhost

But I wonder why dane.sys4.de tell me "No TLSA records."
In fact there is some magic @sys4 that understand, postbank.de do not publish TLSA records.
postfix do not know this magic and leave messages undelivered in my queue :-/

OK, I will now add the next whitelist entry to smtp_tls_policy_maps but that's no generic solution.
Any hints are appreciated.

Thanks,
Andreas



-- 
A. Schulze
DATEV eG