I am currently doing some tests with Postfix 3.10 and postfix-tlspol
(using QUERYwithTLSRPT).
I see positive feedback for DANE as well as MTA-STS on the tlsrpt
socket. However, I was not able to produce negative feedback yet. In
case of "non DNSSEC destination", nothing is written to the tlsrpt
socket, and if I set smtpd_tls_security_level=no on an MX that handles a
DANE-enabled domain, the Postfix 3.10 smtp hangs after establishing the
TCP connection. The last log line is of the form
smtp[1234567]: DNSSEC-signed TLSA record: _25._tcp.example.com: 3 1 1
DEADBEEF...
A tcpdump between smtp and smtpd shows a TCP handshake but no payload at
all.
On the tlsrpt socket, I would expect negative feedback signaling
"starttls-no-supported" and "dnssec-invalid" or "dane-required".
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
