Problem with TLSA & CNAME Wildcard

Robert Sander Wed, 03 Sep 2014 05:27:03 -0700

Hi,

we encounter an issue with DANE-enabled Postfix
trying to deliver mail to a DNSSEC-enabled domain
that has no specific TLSA records for its MX but
obviously a wildcard CNAME entry:

Sep  3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup 
problem: Host or domain name not found. Name service error for 
name=_25._tcp.mail2.clarion-hotels.cz type=TLSA: Host not found, try again
Sep  3 14:18:47 mailout1 postfix/smtp[30772]: warning: DANE TLSA lookup 
problem: Host or domain name not found. Name service error for 
name=_25._tcp.mail2.clarion-hotels.cz type=TLSA: Host not found, try again
Sep  3 14:18:47 mailout1 postfix/smtp[30772]: warning: TLS policy lookup for 
clarion-hotels.cz/mail2.clarion-hotels.cz: TLSA lookup error for 
mail2.clarion-hotels.cz:25
Sep  3 14:18:47 mailout1 postfix/smtp[30772]: AAF4823F4B5: 
to=<x...@clarion-hotels.cz>, relay=none, delay=12905, delays=12904/0/1.1/0, 
dsn=4.7.5, status=deferred (TLSA lookup error for mail2.clarion-hotels.cz:25)

$ host -t tlsa _25._tcp.mail2.clarion-hotels.cz
_25._tcp.mail2.clarion-hotels.cz is an alias for clarion-hotels.cz.
$ dig tlsa _25._tcp.mail2.clarion-hotels.cz

; <<>> DiG 9.9.5-3-Ubuntu <<>> tlsa _25._tcp.mail2.clarion-hotels.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39829
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;_25._tcp.mail2.clarion-hotels.cz. IN   TLSA

;; ANSWER SECTION:
_25._tcp.mail2.clarion-hotels.cz. 1788 IN CNAME clarion-hotels.cz.

;; AUTHORITY SECTION:
clarion-hotels.cz.      3059    IN      SOA     ns.forpsi.net. 
admin.forpsi.com. 2014082501 3600 1800 2592000 3600

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Sep 03 14:23:00 CEST 2014
;; MSG SIZE  rcvd: 140


I believe that Postfix stumbles across the unexpected
CNAME record, that does not have a TLSA record.

Is there anything we can do?

Regards
-- 
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: 
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin

signature.asc
Description: OpenPGP digital signature

Problem with TLSA & CNAME Wildcard

Reply via email to