On Wed, Oct 18, 2023 at 10:17:52PM +0200, Markus Ueberall wrote:
> On 18.10.23, 22:11 Markus Ueberall wrote via Postfix-users:
> > I just tried an explicit "_25._tcp" CNAME as suggested above (using the
> > shared RRset) /alongside/ the existing "*._tcp" CNAME which I did not
> > want to remove/replace for one domain ("D1") while keeping my
> > aforementioned setup for a second domain ("D2"). Then I waited for a
> > couple of hours to be sure that all outdated cache entries are gone (TTL
> > for all entries is 3600 seconds), and sent another test e-mail each to
> > both domains (one immediately after the other). Lo and behold: The one
> > addressed to D2 got delivered, the one addressed to D1 still causes the
> > logs to be filled with the same dreaded STARTTLS,QUIT pattern at the
> > time of writing.
> >
> > This means that it's either not only the required lookup of a wildcard
> > CNAME that causes problems or the simple fact that there is a wildcard
> > CNAME although it should be ignored in this case.
>
> Sorry, scratch the second part of the last sentence after "or the simple
> fact"; "D2" also still has said wildcard CNAME.
So what's the bottom line. Are Microsoft's outbound MTAs, in fact,
having problems delivering mail to domains with additional non-matching
TLSA records? Or is the problem some other aspect of your
configuration?
Possible factors:
- Use of TLSA CNAMEs (wildcard or otherwise)?
- Size of TLSA RRsets?
- Mixture of "3 1 1" and "3 1 2" records?
- Deploying both ECDSA and RSA?
- Publishing both "2 1 X" and "3 1 X" records?
Have you opened a ticket with Microsoft? Though it would take some
effort on your part, it would be rather beneficial to the broader
ecosystem, and to your ability to later make configuration changes
with confidence, to find the root cause of the issues you're reporting.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
