Re: intermittent untrusted TLS despite DANE

Sat, 02 Aug 2014 11:50:24 -0700 

On Sat, Aug 02, 2014 at 08:14:04PM +0200, Peter Palfrader wrote:

> running 2.11.1 on Debian wheezy, I noticed the following in my mail.log today:
> 
> weasel@eugeni:~$ grep mx02.posteo.de /var/log/mail.log | grep 'connection est'
> } Aug  1 09:59:59 s_local@eugeni postfix/smtp[22481]: Untrusted TLS 
> connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with 
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

For what recipient domains.  You need to find the immediately subsequent

    postfix/smtp[22481]: <queue-id>: to=<...>, relay=..., dsn=...

log entry to determine which domain's mail was routed to posteo.de's
MX host.

> I notice that currently posteo's DNS is half-broken, i.e., one of its
> two nameservers returns SERVFAIL for every query.  The other one appears
> to work just fine.

This will add some latency, but is otherwise harmless, until the
second NS also fails.  Please let them know that one of their NS
servers is broken.  Here's what I see:

    $ dig +noall +comment +ans +ad -t ns posteo.de
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45015
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; ANSWER SECTION:
    posteo.de.              217     IN      NS      ns01.posteo.de.
    posteo.de.              217     IN      NS      ns.sys4.de.

    $ dig +noall +comment +ans +ad -t mx posteo.de @ns.sys4.de
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10341
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4
    ;; WARNING: recursion requested but not available

    ;; ANSWER SECTION:
    posteo.de.              300     IN      MX      50 mx04.posteo.de.
    posteo.de.              300     IN      MX      10 mx02.posteo.de.

    $ dig +noall +comment +ans +ad -t mx posteo.de @ns01.posteo.de
    ;; connection timed out; no servers could be reached

So it is just Patrick Koetter et. al. keeping Posteo.de from
vanishing from the net...

> Any idea why postfix fails to establish a verified TLS connection?

You've not provided enough information.

> If having one nameserver return SERVFAIL can induce this behavior, then this
> seems like a potential downgrading vector that could be abused.

Correlation does not imply causation.  A false premise, yields false
conclusion.

-- 
        Viktor.

Reply via email to