* Tom Hendrikx <t...@whyscream.net>: > I configured my mailserver to use DANE for outbound mail whenever > possible, but I am having a hard time in verifying that this actually > works. > > When I use posttls-finger from the machine, it indicates "Verified TLS > connection established" when i point to a few mxen that are known to > have TLSA records available (because they were announced here). > However, this does not test postfix itself. > > One notable difference between posttls-finger and postfix (as > described in the documentation) is that postfix would only use the > TLSA record for deciding on a "verified" connection when the resolver > is running on localhost, while posttls-finger also accepts dnssec data > from a remote resolver (I run unbound in a different VM on the same > piece of hardware). > > My guess is that I would actually need to send a mail to someone that > has TLSA records published in order to test my postfix setup, and then > check the local logs. > > Am I wrong in understanding the docs, or is there actually a > difference in the restrictions on resolver usage between > posttls-finger and postfix. If so, would it be useful to keep these in > sync, or add a switch to posttls-finger to enforce this behaviour for > testing purposes? > > Finally, does anybody have an email sinkhole available on a DANE > enabled server where I can send some test messages?:)
e...@sys4.de is a DNSSEC-enabled echo service. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
