[ apologies to everyone for the formatting below, the Yahoo! webmail client is simply awful ]
-------------------------------------------- On Wed, 3/15/17, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: Subject: Re: Problems with lmtp To: postfix-users@postfix.org Date: Wednesday, March 15, 2017, 7:29 PM On Thu, Mar 16, 2017 at 02:06:37AM +0000, Doug wrote: > [ Trying this again as I think I sent to the wrong address the first time ] FWIW, it got through both times. I saw that, but thank you for confirming. On Thu, Mar 16, 2017 at 02:01:07AM +0000, Doug wrote: > I'm on Ubuntu Server 16.04 (up to date) and using the stock postfix package (3.10-3). There is no Postfix 3.10, did you mean 3.1.0-3? Instead of reporting a vendor version string, it is better to report the output of: $ postconf -d mail_version Yes, 3.1.0, thank you. I'll make you a deal, fix the TLSA records for your domains to comply with both RFC7672 and what Postfix supports (as of Postfix 3.2, per RFC7672 PKIX-EE(1) records are treated as "unusable"), and I'll help you with your LMTP transport problem! Given that you've been bullying me on this topic for years, you're well aware of my objections to your approach. But you win, the offending record is gone. I'm not going to turn my domain into a DDOS amplification vector, and given the staggeringly low rate of adoption for DANE I'm not missing anything at this point. See http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 I'm well aware of the problems at StartCom, and my intention has been for quite a while now that when my current set of certs expire this year that I'll shift to Let's Encrypt, as by that time I anticipate that its CA will have been sufficiently widely accepted, and enough folks will have upgraded their stuff, to make that a feasible option. But I'm glad that you posted this, as folks need to be aware of the issues there. Personally my risk is near-zero, as I generated my own CSRs and StartCom has never seen my private keys. But still better off moving away, and supporting a worthy project in the process. Meanwhile, I would welcome your help with my lmtp issue, or not, as you see fit. I do expect though that this is the last I hear from you on the TLSA topic, as your private bullying was quite tedious enough already. Doug
