Am 26. Oktober 2017 23:08:16 MESZ schrieb Gao <g...@pztop.com>: >Hi, > >I am trying to setup dane on my mail server. But I never seen a >"Verified TLS connection..." in the log. I always got: >Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection >established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2 >with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > >My system is Postfix 3.2.3 on Centos 7.4 ># postconf -d | grep mail_version >mail_version = 3.2.3 > >main.cf: >smtp_dns_support_level = dnssec >smtp_tls_security_level = dane >smtp_tls_loglevel = 1 > >DNSSEC has been setup and added TLSA record. Passed test at >https://www.huque.com/bin/danecheck and https://dane.sys4.de/ > >TLSA records found: 1 >TLSA: 3 1 1 >f2545e3b5b42c7d309127c3a7f326b509f8bd199daf950d5f5bbf7530c7dc616 > >Connecting to IPv4 address: 45.62.235.110 port 25 >recv: 220 cac.mydomain.com ESMTP Postfix >send: EHLO cheetara.huque.com >recv: 250-cac.mydomain.com >recv: 250-PIPELINING >recv: 250-SIZE 10240000 >recv: 250-VRFY >recv: 250-ETRN >recv: 250-STARTTLS >recv: 250-ENHANCEDSTATUSCODES >recv: 250-8BITMIME >recv: 250 DSN >send: STARTTLS >recv: 220 2.0.0 Ready to start TLS >TLSv1.2 handshake succeeded. >Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 >Peer Certificate chain: > 0 Subject CN: cac.mydomain.com > Issuer CN: Let's Encrypt Authority X3 > 1 Subject CN: Let's Encrypt Authority X3 > Issuer CN: DST Root CA X3 > SAN dNSName: cac.mydomain.com > SAN dNSName: mydomain.com >DANE TLSA 3 1 1 [f2545e3b5b42...] matched EE certificate at depth 0 >Validated Certificate chain: > 0 Subject CN: cac.mydomain.com > Issuer CN: Let's Encrypt Authority X3 > SAN dNSName: cac.mydomain.com > SAN dNSName: mydomain.com > >[0] Authentication succeeded for all (1) peers. > >So I must missed something... I can't figure it out. Please help. It looms you have your inbound dane config setup and Dane checking systems can utilize Dane to verify your certs.
You will only have "verified" in your logs when you /send/ mail to a Dane enabled domain. Try this service to check your outbound Dane config: https://havedane.net/ >Thanks. > >Gao -- Christian Kivalo
