Hello, I tried to run DANE on my postfix 2.11.0 server, but it does not make DANE verifications by connecting on different servers which have officially switched to DNSSEC & DANE.
I tested it with the following configuration: smtp_use_tls = yes smtp_tls_fingerprint_digest = sha1 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_note_starttls_offer = yes smtp_dns_support_level = dnssec smtp_tls_security_level = dane # cat tls_policy trashmail.com dane-only I get the following error in the logging files: Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for trashmail.com/smtp.trashmail.com: non DNSSEC destination Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for trashmail.com/smtp.trashmail.com: non DNSSEC destination Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for trashmail.com/smtp2.trashmail.com: non DNSSEC destination Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for trashmail.com/smtp2.trashmail.com: non DNSSEC destination I can't understand this result as http://dnssec-debugger.verisignlabs.com/trashmail.com says that all is fine. And posttls-finger does not show anything about DNSSEC or DANE: # posttls-finger -t30 -T180 -c -L verbose,summary trashmail.com posttls-finger: initializing the client-side TLS engine posttls-finger: setting up TLS connection to smtp.trashmail.com[88.198.11.51]:25 posttls-finger: smtp.trashmail.com[88.198.11.51]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" posttls-finger: smtp.trashmail.com[88.198.11.51]:25: depth=1 verify=0 subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro Ltd./OU=SMTP/CN=Ferraro Ltd. SMTP CA/emailAddress=cont...@ferraro.net posttls-finger: smtp.trashmail.com[88.198.11.51]:25: depth=1 verify=1 subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro Ltd./OU=SMTP/CN=Ferraro Ltd. SMTP CA/emailAddress=cont...@ferraro.net posttls-finger: smtp.trashmail.com[88.198.11.51]:25: depth=0 verify=1 subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro Ltd./OU=TrashMail.net/CN=trashmail.net/emailAddress=cont...@ferraro.net posttls-finger: certificate verification failed for smtp.trashmail.com[88.198.11.51]:25: untrusted issuer /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro Ltd./OU=SMTP/CN=Ferraro Ltd. SMTP CA/emailAddress=cont...@ferraro.net posttls-finger: smtp.trashmail.com[88.198.11.51]:25: subject_CN=trashmail.net, issuer_CN=Ferraro Ltd. SMTP CA, fingerprint=26:D1:F9:93:4F:EE:A3:52:16:F5:5D:22:98:6B:4F:30:33:5F:1F:F1, pkey_fingerprint=4A:3F:63:64:AD:A9:E5:D2:6B:C9:A7:8C:E2:89:FA:F6:D0:A7:94:16 posttls-finger: Untrusted TLS connection established to smtp.trashmail.com[88.198.11.51]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) What I'm doing wrong? -- Best regards, Peter Bauer Linux & UNIX developper
