Dear Viktor, I hope you maybe have some minutes to help on a DANE question.
I have (tried to) setup floppy.org with dnssec and TLSA records in the zonefile. root@sonne:~# dig _25._tcp.floppy.org any ; <<>> DiG 9.20.9-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu <<>> _25._tcp.floppy.org any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64877 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f85d9d2491577b31010000006842991e908a56eb6c5f97a5 (good) ;; QUESTION SECTION: ;_25._tcp.floppy.org. IN ANY ;; ANSWER SECTION: _25._tcp.floppy.org. 36000 IN NSEC _smtp._tls.floppy.org. RRSIG NSEC TLSA _25._tcp.floppy.org. 36000 IN RRSIG NSEC 13 4 36000 20250618082914 20250604085831 44166 floppy.org. lLvRyLCgA64J4z7WcCuDc2199NUBBVKTatRBPhUPtfysYsbt1Af78sDz TOOqkWiFycgwKpPURGMRYAUSNUFvGA== _25._tcp.floppy.org. 3600 IN TLSA 3 1 1 78D7BF87633081A2D183918EB548597BC10F161E3CC329BF54BBFEBC B7BE7EA1 _25._tcp.floppy.org. 3600 IN TLSA 3 1 1 1633E2C5287BDEA67BB7D2AC525707C3989B7B3223D60B91078B0015 ED355897 _25._tcp.floppy.org. 3600 IN RRSIG TLSA 13 4 3600 20250618082914 20250604085831 44166 floppy.org. Z4YeJuLsLxG54ag2CgjL+EdAt+/rDtTpjGauEKbrTodqu/q4uU7RaSID sCnUXig6bFti8BCp28OWQQTppVWFXQ== DANE validator https://www.mailhardener.com/tools/dane-validator?domain=floppy.org says ok The above sha256 fingerprints are from the fullchain.pem (or cert.pem, doesn't make a difference in the output) cert files. main.cf: ... smtpd_tls_chain_files = /etc/letsencrypt/live/sonne.floppy.org/privkey.pem, /etc/letsencrypt/live/sonne.floppy.org/fullchain.pem, /etc/letsencrypt/live/sonne.floppy.org-rsa/privkey.pem, /etc/letsencrypt/live/sonne.floppy.org-rsa/fullchain.pem ... https://dane.sys4.de/smtp/floppy.org gives me the finger. https://www.huque.com/bin/danecheck complains as well with DANE TLSA 3 1 1 [1633e2c5..]: FAIL did not match EE certificate DANE TLSA 3 1 1 [78d7bf87..]: FAIL did not match EE certificate Since you mentioned -or maybe Wietse- to not trust tests on the internet, I am wondering if I am still missing something on a DANE setup for my domain. Can you verify/help? Thanks for reading & helping. Florian -- Florian Piekert, PMP flo...@floppy.org Velberstraße 6 Telephone+Fax: +49-179- 3928582 30451 Hannover / Germany ================================================================ Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx!
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
