[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

Tue, 17 Oct 2023 09:43:25 -0700 

On Tue, Oct 17, 2023 at 05:47:11PM +0200, Markus Ueberall via Postfix-users 
wrote:

> On 17.08.23, 01:48 Viktor Dukhovni wrote via Postfix-users:
> > So far, the pattern of Microsoft's outbound systems disconnecting
> > immediately after a completed TLS handshake strongly correlates with a
> > broken TLSA setup.
> 
> For the record: I stumbled across this a couple of days ago when I received
> a message on LinkedIn telling me that a number of e-mails sent via
> Microsoft's outbound systems had bounced. Given that occasional tests using
> MECSA (https://mecsa.jrc.ec.europa.eu/) and DNSSEC and DANE Validation (part
> of the Microsoft Remote Connectivity Analyzer,
> https://testconnectivity.microsoft.com/tests/O365DaneValidation/input)
> looked /good/ (all TLSA entries for ECDSA/RSA certificates used by a certain
> domain and its subdomains were always listed under subname "_tcp", with a
> couple of CNAME entries "*._tcp", "[*.]_tcp.subdomain", ... pointing to said
> subname), it took a while to realize that the above "STARTTLS,QUIT"
> behaviour is due to the fact that said outbound systems do not like to come
> across non-matching TLSA entries (for other certificates used by the
> webserver) anymore.

Are you *SURE* about that?  That would be a substantial departure from
the DANE specifications.  Extraneous *non-matching* DANE TLSA records
MUST be simply ignored.  Any single *matching* TLSA records is
sufficient.

> The simple solution was to introduce a new specific subname "_25._tcp"
> (which takes precedence over the generic "*._tcp" CNAME) and duplicate/move
> the TLSA entries directly related to the certificate used by postfix for the
> (sub)domain(s) in question there. In hindsight, this means: Whenever the
> MRCA test results (see above) show something marked in red, you should check
> whether it's possible to modify your configuration.

If the new TLSA RRset at _25._tcp. prefix is a proper subset of the
original (wildcard or explicit CNAME) shared RRset, and delivery works
for the subset and not the whole set, then there's a genuine problem with
the sender's implementation.

Have you tried using an explicit CNAME instead of a wildcard CNAME, and
still using the shared RRset:

    _25._tcp.smtp.acme.example. IN CNAME _tcp.acme.example.
    _tcp.acme.example. IN TLSA 3 1 1 ...
    _tcp.acme.example. IN TLSA 3 1 1 ...
    ...

Perhaps they just have issues with wildcard-synthesised CNAMEs?

    $ dig +dnssec +nocmd +nocl +nottl +nocrypto -t tlsa 
_25._tcp.node1.projektzentrisch.de.
    ;; Truncated, retrying in TCP mode.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19327
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 23, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1400
    ;; QUESTION SECTION:
    ;_25._tcp.node1.projektzentrisch.de. IN TLSA

    ;; ANSWER SECTION:
    _25._tcp.node1.projektzentrisch.de. CNAME _tcp.projektzentrisch.de.
    _25._tcp.node1.projektzentrisch.de. RRSIG CNAME 13 4 3600 20231026000000 
20231005000000 25749 projektzentrisch.de. [omitted]
    _tcp.projektzentrisch.de. TLSA  2 1 1 
276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10
    _tcp.projektzentrisch.de. TLSA  2 1 1 
60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18
    _tcp.projektzentrisch.de. TLSA  2 1 1 
8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D
    _tcp.projektzentrisch.de. TLSA  2 1 2 
0F644C9A1DCB8C04BE6B385A60DBE4FDF7E2B81E335C9AD8C7CD0ABE 
2FF9E7E5BBFBB68B38DD0216F17808F48BDF6AF8C6347659C1F41A98 58032C31F436D12C
    _tcp.projektzentrisch.de. TLSA  2 1 2 
3561540FBF182BCE7749ACC131B421E691F083569C053E78F2027471 
4C5E801226FF6EDB60641DDF70E71BD3A90DFE25DDD6464BE78106B7 7DECE4F6A3BFF13D
    _tcp.projektzentrisch.de. TLSA  2 1 2 
774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E 
334D7CD6ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82 FCC2A9146629B140
    _tcp.projektzentrisch.de. TLSA  3 1 1 
1658A1AB90437DEA0BC2F855611DAD7A4AD11FE1BA3F2DFDF69E992B 8FF9513D
    _tcp.projektzentrisch.de. TLSA  3 1 1 
34E64B8E329F0F5C94A1EC6B11EF65CF87902A99E4B29A4D4E117631 75083D26
    _tcp.projektzentrisch.de. TLSA  3 1 1 
C887C34E3FB37DBEBB62E6840E2403473D4E81B8F97DDAD3791CC12F DE0DD4E5
    _tcp.projektzentrisch.de. TLSA  3 1 1 
CB0109E6FD1E9AA463240E6325A96EA8CCAEB80602E65FE52D6B996C 7F1DC147
    _tcp.projektzentrisch.de. TLSA  3 1 2 
2D441EFBDCF23127AFE6CA71EA246C01FA9BC1DA02DF1BB487711511 
305D96386B027CC353EB414757B6C5D072C7803CB9879B1C8ECCEEBA 472D43F7E4B68B64
    _tcp.projektzentrisch.de. TLSA  3 1 2 
3B3779319C8A8A1454A81176836487B849B9B91141B1EEE6B80AC17C 
E8F7679311E1F45BF1D1F71E0A5EEFA533CF8D9B35006CF6E85AF1EB 0AC2603C9B4BE3A8
    _tcp.projektzentrisch.de. TLSA  3 1 2 
56A671F5ED718EADF4FD6376E800E5FC6F82ECBE13AD8D6283742DF6 
1F99A129125DE8BC2106182D50672CF69FEF42AA97AA8D0C21506AD4 481D7A21B450EE9F
    _tcp.projektzentrisch.de. TLSA  3 1 2 
5A459743D85930AB16B8F6006257A0530981F97D42F90F272430EC2C 
D47358980E6918B4438A8076FA0DF22925F682D67A0AE2993B722651 0D84F7AF6E7CCBD4
    _tcp.projektzentrisch.de. TLSA  3 1 2 
5E361883B2C9801258F198A28BEA0F552E22F712C62EBB6269743CEE 
EBC15F0511CB7DDD30C415877E9293969D3C8EFA82E6F56B3CB8EECF 29C50FEC0FFCD060
    _tcp.projektzentrisch.de. TLSA  3 1 2 
7A56D1803DD3A44D036AE5923CB0CBCFBF55DFE1FD5E5FADB5EF1FBC 
07A28407F53CF5F383736E60AE94C14EDD0DC64ABF1528BEC6E61DE1 C032D328B0ADA679
    _tcp.projektzentrisch.de. TLSA  3 1 2 
7C2CA918D82615F20F5AE67E9D68FA7B09816439DFFE16C71ACFAC37 
B2C526D7094DD5B47F3729CDD4178A3E9A5AB8D66B3EFFB8CA267CAA DACF619B02501FF0
    _tcp.projektzentrisch.de. TLSA  3 1 2 
85CDF4D33A20FEDD79893CA59AC3C77CDD917CEB4E7C7D0477B7C6B7 
A26C5D8E0528BB57078041F014E39C78C4C96C825ED115B08EC655E7 6F3BF011EE30B2F3
    _tcp.projektzentrisch.de. TLSA  3 1 2 
8B5E364C57D31516DACEA574B98F8BE91F6CD9A0E08D97552CCCF71F 
564ABA7ECAEFA4A57293D04DC1FC4F75EC4123FE4C7B63A3878665CF 9CF889E868848491
    _tcp.projektzentrisch.de. TLSA  3 1 2 
A03A9E370A01B8CBA7051E7A3BACCDFAD09300B99619F1B8121BAC6E 
549E5768D1452BD7EA1E416141AAB8B6FCC8BB0D7F35FA96A82F5A1E AF5D2F46E2EBCEE3
    _tcp.projektzentrisch.de. RRSIG TLSA 13 3 3600 20231026000000 
20231005000000 25749 projektzentrisch.de. [omitted]

    ;; AUTHORITY SECTION:
    b4qc2adiaqajfp9u9hfsm2e8lih0sm8v.projektzentrisch.de. NSEC3 1 0 0 - 
B6M8SVQ9SCBEFR2MG7H9QIQD2OV8VRI9 RRSIG OPENPGPKEY
    b4qc2adiaqajfp9u9hfsm2e8lih0sm8v.projektzentrisch.de. RRSIG NSEC3 13 3 300 
20231026000000 20231005000000 25749 projektzentrisch.de. [omitted]

    ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
    ;; MSG SIZE  rcvd: 1864

A significant number of DANE-enabled MX hosts have additional TLSA
records that don't match the current certificate, sometimes that's a
future value, sometimes a past value, but without this key
non-disruptive key rollovers are not possible.

Testing "virtual-host.org", I see one matching TLSA record, and two
non-matching TLSA records:

    
https://testconnectivity.microsoft.com/result/9bd3f738-c028-dfc6-4b1a-2fb9b5b71f93

The overall status is reported all GREEN "DANE validation succeeded".

You have to zoom in two levels of detail to see the non-matching
records.  The presentation of the detailed results is surely misleading,
it seems very unlikely that Microsoft have been doing it all wrong for
quite some time now without anyone noticing.

A somewhat less plausible issue for Microsoft is the size of your TLSA
RRset.  It is large enough to require TCP fallback.  (Their resolver
should cope, and large TLSA RRsets are not as rare as I'd recommend).

Bigger is not better in this context.  There's no need for both "3 1 1"
and "3 1 2" records.  With "3 1 1" include only the ones that have
recently or will soon match an actual for the service in question (one
per algorithm if deploying keys for multiple algorithms).

    projektzentrisch.de. IN MX 10 node1.projektzentrisch.de.
    projektzentrisch.de. IN MX 10 node2.projektzentrisch.de.
    _25._tcp.node1.projektzentrisch.de. IN CNAME _tcp.projektzentrisch.de. ; 
wildcard synthesised!
    _tcp.projektzentrisch.de. IN TLSA 2 1 1 
276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
    _tcp.projektzentrisch.de. IN TLSA 2 1 1 
60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
    _tcp.projektzentrisch.de. IN TLSA 2 1 1 
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
    _tcp.projektzentrisch.de. IN TLSA 2 1 2 
0f644c9a1dcb8c04be6b385a60dbe4fdf7e2b81e335c9ad8c7cd0abe2ff9e7e5bbfbb68b38dd0216f17808f48bdf6af8c6347659c1f41a9858032c31f436d12c
    _tcp.projektzentrisch.de. IN TLSA 2 1 2 
3561540fbf182bce7749acc131b421e691f083569c053e78f20274714c5e801226ff6edb60641ddf70e71bd3a90dfe25ddd6464be78106b77dece4f6a3bff13d
    _tcp.projektzentrisch.de. IN TLSA 2 1 2 
774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
1658a1ab90437dea0bc2f855611dad7a4ad11fe1ba3f2dfdf69e992b8ff9513d
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
34e64b8e329f0f5c94a1ec6b11ef65cf87902a99e4b29a4d4e11763175083d26
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
c887c34e3fb37dbebb62e6840e2403473d4e81b8f97ddad3791cc12fde0dd4e5
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
cb0109e6fd1e9aa463240e6325a96ea8ccaeb80602e65fe52d6b996c7f1dc147
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
2d441efbdcf23127afe6ca71ea246c01fa9bc1da02df1bb487711511305d96386b027cc353eb414757b6c5d072c7803cb9879b1c8ecceeba472d43f7e4b68b64
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
3b3779319c8a8a1454a81176836487b849b9b91141b1eee6b80ac17ce8f7679311e1f45bf1d1f71e0a5eefa533cf8d9b35006cf6e85af1eb0ac2603c9b4be3a8
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
56a671f5ed718eadf4fd6376e800e5fc6f82ecbe13ad8d6283742df61f99a129125de8bc2106182d50672cf69fef42aa97aa8d0c21506ad4481d7a21b450ee9f
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
5a459743d85930ab16b8f6006257a0530981f97d42f90f272430ec2cd47358980e6918b4438a8076fa0df22925f682d67a0ae2993b7226510d84f7af6e7ccbd4
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
5e361883b2c9801258f198a28bea0f552e22f712c62ebb6269743ceeebc15f0511cb7ddd30c415877e9293969d3c8efa82e6f56b3cb8eecf29c50fec0ffcd060
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
7a56d1803dd3a44d036ae5923cb0cbcfbf55dfe1fd5e5fadb5ef1fbc07a28407f53cf5f383736e60ae94c14edd0dc64abf1528bec6e61de1c032d328b0ada679
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
7c2ca918d82615f20f5ae67e9d68fa7b09816439dffe16c71acfac37b2c526d7094dd5b47f3729cdd4178a3e9a5ab8d66b3effb8ca267caadacf619b02501ff0
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
85cdf4d33a20fedd79893ca59ac3c77cdd917ceb4e7c7d0477b7c6b7a26c5d8e0528bb57078041f014e39c78c4c96c825ed115b08ec655e76f3bf011ee30b2f3
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
8b5e364c57d31516dacea574b98f8be91f6cd9a0e08d97552cccf71f564aba7ecaefa4a57293d04dc1fc4f75ec4123fe4c7b63a3878665cf9cf889e868848491
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
a03a9e370a01b8cba7051e7a3baccdfad09300b99619f1b8121bac6e549e5768d1452bd7ea1e416141aab8b6fcc8bb0d7f35fa96a82f5a1eaf5d2f46e2ebcee3
    _25._tcp.node2.projektzentrisch.de. IN CNAME _tcp.projektzentrisch.de. ; 
wildcard synthesised!
    _tcp.projektzentrisch.de. IN TLSA 2 1 1 
276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
    _tcp.projektzentrisch.de. IN TLSA 2 1 1 
60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
    _tcp.projektzentrisch.de. IN TLSA 2 1 1 
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
    _tcp.projektzentrisch.de. IN TLSA 2 1 2 
0f644c9a1dcb8c04be6b385a60dbe4fdf7e2b81e335c9ad8c7cd0abe2ff9e7e5bbfbb68b38dd0216f17808f48bdf6af8c6347659c1f41a9858032c31f436d12c
    _tcp.projektzentrisch.de. IN TLSA 2 1 2 
3561540fbf182bce7749acc131b421e691f083569c053e78f20274714c5e801226ff6edb60641ddf70e71bd3a90dfe25ddd6464be78106b77dece4f6a3bff13d
    _tcp.projektzentrisch.de. IN TLSA 2 1 2 
774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
1658a1ab90437dea0bc2f855611dad7a4ad11fe1ba3f2dfdf69e992b8ff9513d
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
34e64b8e329f0f5c94a1ec6b11ef65cf87902a99e4b29a4d4e11763175083d26
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
c887c34e3fb37dbebb62e6840e2403473d4e81b8f97ddad3791cc12fde0dd4e5
    _tcp.projektzentrisch.de. IN TLSA 3 1 1 
cb0109e6fd1e9aa463240e6325a96ea8ccaeb80602e65fe52d6b996c7f1dc147
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
2d441efbdcf23127afe6ca71ea246c01fa9bc1da02df1bb487711511305d96386b027cc353eb414757b6c5d072c7803cb9879b1c8ecceeba472d43f7e4b68b64
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
3b3779319c8a8a1454a81176836487b849b9b91141b1eee6b80ac17ce8f7679311e1f45bf1d1f71e0a5eefa533cf8d9b35006cf6e85af1eb0ac2603c9b4be3a8
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
56a671f5ed718eadf4fd6376e800e5fc6f82ecbe13ad8d6283742df61f99a129125de8bc2106182d50672cf69fef42aa97aa8d0c21506ad4481d7a21b450ee9f
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
5a459743d85930ab16b8f6006257a0530981f97d42f90f272430ec2cd47358980e6918b4438a8076fa0df22925f682d67a0ae2993b7226510d84f7af6e7ccbd4
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
5e361883b2c9801258f198a28bea0f552e22f712c62ebb6269743ceeebc15f0511cb7ddd30c415877e9293969d3c8efa82e6f56b3cb8eecf29c50fec0ffcd060
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
7a56d1803dd3a44d036ae5923cb0cbcfbf55dfe1fd5e5fadb5ef1fbc07a28407f53cf5f383736e60ae94c14edd0dc64abf1528bec6e61de1c032d328b0ada679
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
7c2ca918d82615f20f5ae67e9d68fa7b09816439dffe16c71acfac37b2c526d7094dd5b47f3729cdd4178a3e9a5ab8d66b3effb8ca267caadacf619b02501ff0
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
85cdf4d33a20fedd79893ca59ac3c77cdd917ceb4e7c7d0477b7c6b7a26c5d8e0528bb57078041f014e39c78c4c96c825ed115b08ec655e76f3bf011ee30b2f3
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
8b5e364c57d31516dacea574b98f8be91f6cd9a0e08d97552cccf71f564aba7ecaefa4a57293d04dc1fc4f75ec4123fe4c7b63a3878665cf9cf889e868848491
    _tcp.projektzentrisch.de. IN TLSA 3 1 2 
a03a9e370a01b8cba7051e7a3baccdfad09300b99619f1b8121bac6e549e5768d1452bd7ea1e416141aab8b6fcc8bb0d7f35fa96a82f5a1eaf5d2f46e2ebcee3

The above even include matches for the long retired Let's Encrypt X3 CA,
that SHOULD long ago have been removed?

    https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to