Hi,
I am trying to setup dane on my mail server. But I never seen a
"Verified TLS connection..." in the log. I always got:
Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
My system is Postfix 3.2.3 on Centos 7.4
# postconf -d | grep mail_version
mail_version = 3.2.3
main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_loglevel = 1
DNSSEC has been setup and added TLSA record. Passed test at
https://www.huque.com/bin/danecheck and https://dane.sys4.de/
TLSA records found: 1
TLSA: 3 1 1 f2545e3b5b42c7d309127c3a7f326b509f8bd199daf950d5f5bbf7530c7dc616
Connecting to IPv4 address: 45.62.235.110 port 25
recv: 220 cac.mydomain.com ESMTP Postfix
send: EHLO cheetara.huque.com
recv: 250-cac.mydomain.com
recv: 250-PIPELINING
recv: 250-SIZE 10240000
recv: 250-VRFY
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250 DSN
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
0 Subject CN: cac.mydomain.com
Issuer CN: Let's Encrypt Authority X3
1 Subject CN: Let's Encrypt Authority X3
Issuer CN: DST Root CA X3
SAN dNSName: cac.mydomain.com
SAN dNSName: mydomain.com
DANE TLSA 3 1 1 [f2545e3b5b42...] matched EE certificate at depth 0
Validated Certificate chain:
0 Subject CN: cac.mydomain.com
Issuer CN: Let's Encrypt Authority X3
SAN dNSName: cac.mydomain.com
SAN dNSName: mydomain.com
[0] Authentication succeeded for all (1) peers.
So I must missed something... I can't figure it out. Please help.
Thanks.
Gao
