* Patrick Ben Koetter <postfix-users@postfix.org>: > * Viktor Dukhovni <postfix-users@postfix.org>: > > On Mon, Jul 28, 2014 at 10:44:04AM +0200, Patrick Ben Koetter wrote: > > > Greetings, > > > > > > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system: > > > > > > warning: sys4.de: dane configured, but no requisite library support > > > > > > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html> > > > suggests, the underlying openssl library is too old. Viktor writes at > > > least > > > openssl 1.0.0 would be required. > > > > > > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got > > > stuck. > > > Could it be the openssl package has been built without DANe support? What > > > can > > > I do to track this down? > > > > Beyond OpenSSL 1.0.0, you also need the resolver headers to define: > > > > RES_USE_DNSSEC > > RES_USE_EDNS0 > > > > and for OpenSSL to *not* define OPENSSL_NO_ECDH. On RedHat systems, > > it is this last constraint that is the likely problem. RedHat > > systems have historically disabled EC algorithms based on FUD around > > Certicom's patents (the most important of which, point compression, > > expires tomorrow I hear). > > > > Anyway, RedHat did add limited ECDH support (sufficient for for > > Postfix DANE) some months back, make sure your system has the > > updated OpenSSL build. > > I think that's it. OpenSSL on the build host wasn't recent enough to reflect > those changes. I've updated, built and tested successfully on the build host. > Next step: Deploy and test on customers test servers.
Successfully tested and deployed. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
