[Please CC me on replies.]
Hi,
running 2.11.1 on Debian wheezy, I noticed the following in my mail.log today:
weasel@eugeni:~$ grep mx02.posteo.de /var/log/mail.log | grep 'connection est'
} Aug 1 09:59:59 s_local@eugeni postfix/smtp[22481]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:00:25 s_local@eugeni postfix/smtp[21471]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:03:15 s_local@eugeni postfix/smtp[22492]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:05:15 s_local@eugeni postfix/smtp[21477]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:05:36 s_local@eugeni postfix/smtp[22653]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:05:37 s_local@eugeni postfix/smtp[23724]: Verified TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:45:40 s_local@eugeni postfix/smtp[30489]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:45:40 s_local@eugeni postfix/smtp[30402]: Verified TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 10:47:19 s_local@eugeni postfix/smtp[30484]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 11:38:10 s_local@eugeni postfix/smtp[7115]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 11:38:14 s_local@eugeni postfix/smtp[6424]: Verified TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 11:38:16 s_local@eugeni postfix/smtp[6432]: Verified TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
} Aug 1 11:39:17 s_local@eugeni postfix/smtp[6439]: Untrusted TLS connection
established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
...
My config includes
} smtp_dns_support_level = dnssec
} smtp_tls_security_level = dane
and my only nameserver in /etc/resolv.conf is a security-aware unbound instance
on 127.0.0.1.
I notice that currently posteo's DNS is half-broken, i.e., one of its two
nameservers returns SERVFAIL for every query. The other one appears to work
just fine.
Any idea why postfix fails to establish a verified TLS connection?
If having one nameserver return SERVFAIL can induce this behavior, then this
seems like a potential downgrading vector that could be abused.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
