-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 14-11-14 22:27, Viktor Dukhovni wrote:
> On Fri, Nov 14, 2014 at 10:01:02PM +0100, Tom Hendrikx wrote:
>
>> One notable difference between posttls-finger and postfix (as
>> described in the documentation) is that postfix would only use
>> the TLSA record for deciding on a "verified" connection when the
>> resolver is running on localhost, while posttls-finger also
>> accepts dnssec data from a remote resolver (I run unbound in a
>> different VM on the same piece of hardware).
>
> Postfix will use (and wisely or otherwise trust) whatever resolver
> is in /etc/resolv.conf. If that's remote, and subject to MiTM
> attacks, that your problem. If you have a secure IPsec tunnel to a
> trusted resolver, feel free to use it. You can even use remote
> resolvers over untrusted networks, and expose yourself to active
> attacks.
>
>> My guess is that I would actually need to send a mail to someone
>> that has TLSA records published in order to test my postfix
>> setup, and then check the local logs.
>
> The posttls-finger and Postfix code exercise very similar
> verification logic. You can use "sendmail -bv" to test without
> actually delivering the mail.
>
> /usr/sbin/sendmail -bv postmas...@example.net
>
> then check the logs.
>
>> Am I wrong in understanding the docs, or is there actually a
>> difference in the restrictions on resolver usage between
>> posttls-finger and postfix. If so, would it be useful to keep
>> these in sync, or add a switch to posttls-finger to enforce this
>> behaviour for testing purposes?
>
> There is no difference. Both use the same DNS library in the same
> way.
>
>> Finally, does anybody have an email sinkhole available on a DANE
>> enabled server where I can send some test messages?:)
>
> The "sendmail -bv" command probes a server without sending mail.
>
Thanks for the quick responses. That indeed works:
Nov 14 22:55:56 hostname postfix-out/smtp[11505]: Verified TLS
connection established to mail.sys4.de[2001:1578:400:111::7]:25: TLSv1
with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Nov 14 22:55:57 hostname postfix-out/smtp[11505]: 66FCB8049:
to=<e...@sys4.de>, relay=mail.sys4.de[2001:1578:400:111::7]:25,
delay=0.83, delays=0.16/0.05/0.17/0.45, dsn=2.1.5, status=deliverable
(250 2.1.5 Ok)
Regards,
Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUZnrwAAoJEJPfMZ19VO/1vgEP/jYQG5iQfKWMxZgiYRJZ3y8R
QnkkuUJLEJsa6u+JeEYoPZG3iNcL3nUrCG7F6WE8sirFWHFDQ/I/iL3lTyUw9xM0
I3ysvS8iQo9i5fgb6ixix+3zzPFGlh5eKiqHpdwpG9PeZgUcd0AGEj+4UUqbh4ty
VvNEk1Xfz7cCxenByurJFNzYIuWNq53VuSgVQu+Oaia0RqFmGW/Pm+YV2e3YGIN8
fu3HKEjZPlXDq7L17KeNfFUDkLoWk4rDWXZoYb/7yGV7JQzrpJwuTzTGMp602FUJ
0zUsOaK/PowymqlMpBrlcvdOdfJ+7hrtAPCN5VcHAT3VxUkUutw3pD/J2a7fB0qJ
UnW3En4CyYu+Si0xb1hGAh2sYFg8FllaJbkIjHnkWf5aLOdTmhuYoEbHk2QXNz8l
g3CY9oMwc3oxyMVt8UJnC7DV1XMYQZcKAyPCDO1azAem8mrbfwx1vLorR78a6CX3
lAlDtGeurTq12Kwz4sSg89sybnfI5yo/R8Tiq/t/5el/Hsk1Tyig0LwQwUDpb4JE
Lxvj8pY+rdOPjOypiIZy9wCEseTBBdXarw3ulJo2Yk3hmmxwA1xW4pFdJDqRw/0k
OuS9BnKku9OdAV/5MGY6rcASlkmWnfZ6WIDjCtHzUeSEmZuabsRV91TSTKqAmFaw
9XgJqCX6QZRw+N5H53dL
=X3Z2
-----END PGP SIGNATURE-----
