On Fri, Nov 14, 2014 at 10:01:02PM +0100, Tom Hendrikx wrote:
> One notable difference between posttls-finger and postfix (as
> described in the documentation) is that postfix would only use the
> TLSA record for deciding on a "verified" connection when the resolver
> is running on localhost, while posttls-finger also accepts dnssec data
> from a remote resolver (I run unbound in a different VM on the same
> piece of hardware).
Postfix will use (and wisely or otherwise trust) whatever resolver
is in /etc/resolv.conf. If that's remote, and subject to MiTM
attacks, that your problem. If you have a secure IPsec tunnel to
a trusted resolver, feel free to use it. You can even use remote
resolvers over untrusted networks, and expose yourself to active
attacks.
> My guess is that I would actually need to send a mail to someone that
> has TLSA records published in order to test my postfix setup, and then
> check the local logs.
The posttls-finger and Postfix code exercise very similar verification
logic. You can use "sendmail -bv" to test without actually delivering
the mail.
/usr/sbin/sendmail -bv postmas...@example.net
then check the logs.
> Am I wrong in understanding the docs, or is there actually a
> difference in the restrictions on resolver usage between
> posttls-finger and postfix. If so, would it be useful to keep these in
> sync, or add a switch to posttls-finger to enforce this behaviour for
> testing purposes?
There is no difference. Both use the same DNS library in the same
way.
> Finally, does anybody have an email sinkhole available on a DANE
> enabled server where I can send some test messages?:)
The "sendmail -bv" command probes a server without sending mail.
--
Viktor.
