Peter,
* Peter Bauer <mlu...@archivum.info>:
> Hello,
>
> I tried to run DANE on my postfix 2.11.0 server, but it does not make DANE
> verifications by connecting on different servers which have officially
> switched to DNSSEC & DANE.
Postfix can only use DANE verification, if the underlying system is able to
tell DNSSEC enabled domains from regular DNS domains.
Does your resolver suppport DNSSEC? Try this query and watch the 'flags'
section in the outpout. You should see an 'ad' flag as pointed out in the
example below:
p@x240:~$ dig SOA +dnssec sys4.de
; <<>> DiG 9.9.5-3-Ubuntu <<>> SOA +dnssec sys4.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61650
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3
^^
If you don't see it, you resolver cannot authenticated DNSSEC enabled domains.
Then you need to change that.
p@rick
>
> I tested it with the following configuration:
>
> smtp_use_tls = yes
> smtp_tls_fingerprint_digest = sha1
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> smtp_tls_note_starttls_offer = yes
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
>
> # cat tls_policy
> trashmail.com dane-only
>
> I get the following error in the logging files:
> Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for
> trashmail.com/smtp.trashmail.com: non DNSSEC destination
> Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for
> trashmail.com/smtp.trashmail.com: non DNSSEC destination
> Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for
> trashmail.com/smtp2.trashmail.com: non DNSSEC destination
> Aug 31 08:57:12 archivum postfix/smtp[23663]: TLS policy lookup for
> trashmail.com/smtp2.trashmail.com: non DNSSEC destination
>
> I can't understand this result as
> http://dnssec-debugger.verisignlabs.com/trashmail.com
> says that all is fine.
>
> And posttls-finger does not show anything about DNSSEC or DANE:
> # posttls-finger -t30 -T180 -c -L verbose,summary trashmail.com
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: setting up TLS connection to
> smtp.trashmail.com[88.198.11.51]:25
> posttls-finger: smtp.trashmail.com[88.198.11.51]:25: TLS cipher list
> "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
> posttls-finger: smtp.trashmail.com[88.198.11.51]:25: depth=1 verify=0
> subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro
> Ltd./OU=SMTP/CN=Ferraro Ltd. SMTP CA/emailAddress=cont...@ferraro.net
> posttls-finger: smtp.trashmail.com[88.198.11.51]:25: depth=1 verify=1
> subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro
> Ltd./OU=SMTP/CN=Ferraro Ltd. SMTP CA/emailAddress=cont...@ferraro.net
> posttls-finger: smtp.trashmail.com[88.198.11.51]:25: depth=0 verify=1
> subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro
> Ltd./OU=TrashMail.net/CN=trashmail.net/emailAddress=cont...@ferraro.net
> posttls-finger: certificate verification failed for
> smtp.trashmail.com[88.198.11.51]:25: untrusted issuer
> /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=Ferraro
> Ltd./OU=SMTP/CN=Ferraro Ltd. SMTP CA/emailAddress=cont...@ferraro.net
> posttls-finger: smtp.trashmail.com[88.198.11.51]:25:
> subject_CN=trashmail.net, issuer_CN=Ferraro Ltd. SMTP CA,
> fingerprint=26:D1:F9:93:4F:EE:A3:52:16:F5:5D:22:98:6B:4F:30:33:5F:1F:F1,
> pkey_fingerprint=4A:3F:63:64:AD:A9:E5:D2:6B:C9:A7:8C:E2:89:FA:F6:D0:A7:94:16
> posttls-finger: Untrusted TLS connection established to
> smtp.trashmail.com[88.198.11.51]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> What I'm doing wrong?
>
> --
> Best regards,
> Peter Bauer
> Linux & UNIX developper
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
