-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I configured my mailserver to use DANE for outbound mail whenever
possible, but I am having a hard time in verifying that this actually
works.
When I use posttls-finger from the machine, it indicates "Verified TLS
connection established" when i point to a few mxen that are known to
have TLSA records available (because they were announced here).
However, this does not test postfix itself.
One notable difference between posttls-finger and postfix (as
described in the documentation) is that postfix would only use the
TLSA record for deciding on a "verified" connection when the resolver
is running on localhost, while posttls-finger also accepts dnssec data
from a remote resolver (I run unbound in a different VM on the same
piece of hardware).
My guess is that I would actually need to send a mail to someone that
has TLSA records published in order to test my postfix setup, and then
check the local logs.
Am I wrong in understanding the docs, or is there actually a
difference in the restrictions on resolver usage between
posttls-finger and postfix. If so, would it be useful to keep these in
sync, or add a switch to posttls-finger to enforce this behaviour for
testing purposes?
Finally, does anybody have an email sinkhole available on a DANE
enabled server where I can send some test messages?:)
Kind regards,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUZm2AAAoJEJPfMZ19VO/1L6cQAJkfg2GEifxL1dKJuU2xawxI
FY4RM+SeisK9PkpgOvizgDFjAvUOGnFH0m32BR7euG93jhLL4L87LBSnTE1MxXsh
emE6HDUdz4e9iCs55AD0MHbSQQvjStAoIlzBG2h92cKZSZpBBL/29HjgRI2w0iia
fUlx/7F8xq+Z41wH+Tq5GbMue23uHd5f2qiqZZyQTkgYTi8e5neamGaOY1xYH7Ab
rFv+CeJKfiA6PU9aUDX4X2d66uX+NDc5YfUr2w9X54TEXi0tH5o3CJ+Svgq1z+b/
5RB8UTu6BXHCpGAkrl3GrYt89IqjZJg1FzJwUrxqeHSP3waSTABtkdpPdhDBS2td
ox5ybFo7KFJMM6pNVe9sQGmQxI744OA6D95oqF42yQE4+NV5NCNMRAgegLlR4l2U
MfPd/NxHK3SE+bCUTjht+Z3hYvph5wEo7LMpHayeXKNuzUSASczbWO1HJQ2WCSif
5SWV0tPzaaksZ7O4NFqCnmY6ZDnu/RgEXvNz0Rdf4S6UHdkRQf/VsHv76/vLxbEp
a3Ybgv1ykAUc8wfOgx0TQaXcoZQjJTtG5+dvIgX26r1PL0Qd04/suGQh1QU/zcxl
8TA8SL6UtJDkQwJYgWPUzr/zS1TP9GMxYW27ZGMhPtDOE4+QY+jTYF0MdzYRRJs/
Yb1LUBESAixqjXBUg/h0
=UUw1
-----END PGP SIGNATURE-----
