xs4all enabled DANE outgoing verification

[Jan-Pieter Cornet]

Hi,

On smtp.xs4all.nl we enabled DANE outgoing verification, but currently only with a "soft fail": if DANE fails, we fallback to non-DANE delivery... for now. Except for a few hardcoded domains (currently only our own, and havedane.net). If anyone feels confident about their own DANE setup, feel free to send me your domain (or domains), and I'll add it to the list of hardfails.

... but in a few weeks we'll disable the softfail anyway, if we don't see any problems (other than the ones in the danefail list, which I'm not yet using, but the softfail is hitting some of the domains on that list already).

We don't do smtp-tlsrpt reporting (yet?), but I can make some stats on demand for your domain, if you'd like that.

As a word of caution to other would-be DANE implementers: we also had problems with a domain that was not on the dane-fail list. This domain had DNSSEC and TLSA records for the MX host, but did not offer STARTTLS. That would be a huge red flag, and fortunately we had the softfail fallback so mail kept on being delivered. After investigating, it turned out that this domain had *my* IPs in an exception list of "do not offer TLS", because a few years ago we hit some sort of timeout bug that caused hanging connections. The hanging connection bug has since been solved, but the IP exception was still there...

So the moral of the story is: next to the domains in the dane-fail list, there might be local exceptions that might apply, so keep an eye on your logfiles.

-- 
Jan-Pieter Cornet <johnpc at xs4all.net>
Systeembeheer XS4ALL Internet bv
www.xs4all.nl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20180903/0d288ea1/attachment.asc>