On 2017-10-26 02:58 PM, Christian Kivalo wrote:
Am 26. Oktober 2017 23:08:16 MESZ schrieb Gao <g...@pztop.com>:
Hi,
I am trying to setup dane on my mail server. But I never seen a
"Verified TLS connection..." in the log. I always got:
Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
My system is Postfix 3.2.3 on Centos 7.4
# postconf -d | grep mail_version
mail_version = 3.2.3
main.cf:
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_loglevel = 1
DNSSEC has been setup and added TLSA record. Passed test at
https://www.huque.com/bin/danecheck and https://dane.sys4.de/
TLSA records found: 1
TLSA: 3 1 1
f2545e3b5b42c7d309127c3a7f326b509f8bd199daf950d5f5bbf7530c7dc616
Connecting to IPv4 address: 45.62.235.110 port 25
recv: 220 cac.mydomain.com ESMTP Postfix
send: EHLO cheetara.huque.com
recv: 250-cac.mydomain.com
recv: 250-PIPELINING
recv: 250-SIZE 10240000
recv: 250-VRFY
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250 DSN
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
0 Subject CN: cac.mydomain.com
Issuer CN: Let's Encrypt Authority X3
1 Subject CN: Let's Encrypt Authority X3
Issuer CN: DST Root CA X3
SAN dNSName: cac.mydomain.com
SAN dNSName: mydomain.com
DANE TLSA 3 1 1 [f2545e3b5b42...] matched EE certificate at depth 0
Validated Certificate chain:
0 Subject CN: cac.mydomain.com
Issuer CN: Let's Encrypt Authority X3
SAN dNSName: cac.mydomain.com
SAN dNSName: mydomain.com
[0] Authentication succeeded for all (1) peers.
So I must missed something... I can't figure it out. Please help.
It looms you have your inbound dane config setup and Dane checking systems can
utilize Dane to verify your certs.
You will only have "verified" in your logs when you /send/ mail to a Dane
enabled domain. Try this service to check your outbound Dane config:
https://havedane.net/
Thank you for the information. I tested at the site and m=now my maillog
shows:
Oct 26 15:43:18 cac postfix/smtp[19178]: connect to
dont.havedane.net[2001:1af8:4700:a118:90::7c0]:25: Network is unreachable
Oct 26 15:43:18 cac postfix/smtp[19179]: connect to
wrong.havedane.net[2001:1af8:4700:a118:90::7c0]:25: Network is unreachable
Oct 26 15:43:19 cac postfix/smtp[19179]: certificate verification failed
for wrong.havedane.net[5.79.70.105]:25: untrusted issuer
/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston
CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Oct 26 15:43:19 cac postfix/smtp[19179]: Untrusted TLS connection
established to wrong.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 26 15:43:19 cac postfix/smtp[19178]: Anonymous TLS connection
established to dont.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher
AECDH-AES256-SHA (256/256 bits)
*Oct 26 15:43:19 cac postfix/smtp[19174]: Verified TLS connection
established to do.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)*
Oct 26 15:43:19 cac postfix/smtp[19179]: 1687A20C5404:
to=<e076c4c02828f...@wrong.havedane.net>,
relay=wrong.havedane.net[5.79.70.105]:25, delay=12,
delays=11/0.07/1.5/0, dsn=4.7.5, status=deferred (Server certificate not
trusted)
Oct 26 15:43:19 cac postfix/smtp[19178]: 1687A20C5404:
to=<e076c4c02828f...@dont.havedane.net>,
relay=dont.havedane.net[5.79.70.105]:25, delay=12,
delays=11/0.06/1.7/0.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
B22A8C0867)
Oct 26 15:43:19 cac postfix/smtp[19174]: 1687A20C5404:
to=<e076c4c02828f...@do.havedane.net>,
relay=do.havedane.net[5.79.70.105]:25, delay=12, delays=11/0.04/1.7/0.2,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B8636C0868)
I tested before by sending email to a Gmail account. I was wrong to
think Gmail support DANE and they probably don't.
Thanks a lot!
Gao
