On Fri, Jun 06, 2025 at 12:15:53AM +0200, Luca vom Bruch wrote:
> I think it may be some DNS related issue on my servers local bind9/named
> install. It acts as its own nameserver with glue records. The sending domain
> on It is DNSSEC signed. (the one I am sending mail from now).
>
> When I use the dig command to lookup the TLSA it can find them. But somehow
> with postfix not.
The local resolver must not have been configured to perform DNSSEC
validation.
> But I now removed localhost as local DNS resolver and use google or quad9
> instead.
That largely defeats the point of DANE, since a remote MiTM attacker is
now able to forge DNS responses.
> For testing I tried with "dane-only" policy with and without
> postfix-tlspol and it works fine.
For DANE to provide meaningful protection the validating resolver MUST
be local (or be accessed via a VPN, DoH, DoT or DoQ).
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
