Dear fellow postfixers!
I wanted to implement MTA-STS and for this I use postfix-tlspol It works for the most part but I am wondering why I can no longer use the test website Learndmarc.com That site gives you an email address to send mail to to test your compliance. Whenever I comment out the line to use postfix-tlspol which is: smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERY I can deliver mail to that test site again. The log message when using postfix-tlspol Evaluated policy for "learndmarc.com": dane-only (from cache, 15m2s remaining) And mail log: to=<ld-879a626...@learndmarc.com>, relay=none, delay=0.64, delays=0.1/0.02/0.51/0, dsn=4.7.5, status=deferred (no TLSA records found) and when it is disabled, it works: to=<ld-879a626...@learndmarc.com>, relay=uriports.com[2001:678:6a0::3:101]:25, delay=0.54, delays=0.1/0.02/0.35/0.07, dsn=2.0.0, status=sent (250 OK id=1uMvaB-00A4ia-29) I don't understand why postfix-tlspol identifies a policy of dane-only when no TLSA records are present. The developer suggested this is a config issue of mine, so maybe, here is my config: smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_security_level = dane meta_directory = /etc/postfix shlib_directory = /usr/lib/postfix virtual_alias_maps = hash:/etc/postfix/virtual sender_bcc_maps = hash:/etc/postfix/bcc sender_dependent_default_transport_maps = hash:/etc/postfix/dependent mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME home_mailbox = Maildir/ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = no smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtp_dns_support_level = dnssec smtp_host_lookup = dns mailbox_size_limit = 0 allow_percent_hack = no resolve_dequoted_address = no tls_server_sni_maps = hash:/etc/postfix/sni_map smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 milter_default_action = accept smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock smtpd_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM tls_preempt_cipherlist = yes smtpd_tls_dh1024_param_file = /etc/postfix/ffdhe4096.pem tls_ssl_options = NO_COMPRESSION,NO_RENEGOTIATION smtpd_data_restrictions = reject_unauth_pipelining smtpd_discard_ehlo_keywords = chunking, silent-discard #smtp_tlsrpt_enable = yes #smtp_tlsrpt_socket_name = run/tlsrpt/tlsrpt.sock smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERY I hope someone might have an idea what could be wrong. Greets, Luca
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
