I had a message defer indefinitely, ostensibly due to the lack of a TLSA
record, which seems like a poor excuse. I expect this indicates that
there's something I don't get about DANE and/or specifically
"smtp_tls_security_level = dane" in Postfix. I seek enlightenment.
Indeed there was and is no TLSA record for the target machine, but it
does have a CA-issued certificate. Oddly, it answers with a banner full
of asterisks but it also advertises STARTTLS if you give it a EHLO.
After I switched smtp_tls_security_level from "dane" to "may" the mail
went through BUT only as plaintext because apparently Postfix saw that
**** banner and decided to enable the PIX workarounds (including
disable_esmtp.) Thus outbound gateway has been delivering hundreds of
messages per day with TLS to other targets without any difficulties for
months. Today it has made 683 successful TLS client connections so far.
The Postfix instance is an outbound gateway on a FreeBSD 12.1p6 VM. It
is currently running Postfix 3.5.4, from the FreeBSD binary package.
Log lines for the relevant message:
[root@be03 ~]# grep 4BhQWH3Gq7zBsQ1 /var/log/maillog
Sep 2 13:58:03 be03 postfix/smtpd[46490]: 4BhQWH3Gq7zBsQ1:
client=mail.uscrules.com[REDACTEDIP]
Sep 2 13:58:03 be03 postfix/cleanup[46492]: 4BhQWH3Gq7zBsQ1:
message-id=<BCFA6F0E-B696-4510-88EE-2446CD6154C8@REDACTEDDOM2>
Sep 2 13:58:03 be03 postfix/qmgr[6807]: 4BhQWH3Gq7zBsQ1:
from=<REDACTEDUSER2.com>, size=2075122, nrcpt=1 (queue active)
Sep 2 13:58:49 be03 postfix/smtp[46493]: 4BhQWH3Gq7zBsQ1:
to=<redactedus...@deaecom.gov>, relay=none, delay=46,
delays=0.15/0.01/46/0, dsn=4.7.5, status=deferred (TLSA lookup error for
mail.deaecom.gov:25)
Sep 2 14:07:59 be03 postfix/qmgr[6807]: 4BhQWH3Gq7zBsQ1:
from=<REDACTEDUSER2.com>, size=2075122, nrcpt=1 (queue active)
Sep 2 14:08:45 be03 postfix/smtp[47343]: 4BhQWH3Gq7zBsQ1:
to=<redactedus...@deaecom.gov>, relay=none, delay=642,
delays=596/0.02/46/0, dsn=4.7.5, status=deferred (TLSA lookup error for
mail.deaecom.gov:25)
Sep 2 14:08:45 be03 postfix/bounce[47374]: 4BhQWH3Gq7zBsQ1: sender
delay notification: 4BhQld2sgmzBsV5
[ Many repeats elided ...]
Sep 2 20:15:06 be03 postfix/qmgr[81586]: 4BhQWH3Gq7zBsQ1:
from=<REDACTEDUSER2.com>, size=2075122, nrcpt=1 (queue active)
Sep 2 20:15:53 be03 postfix/smtp[82546]: 4BhQWH3Gq7zBsQ1:
to=<redactedus...@deaecom.gov>, relay=none, delay=22670,
delays=22623/0.06/46/0, dsn=4.7.5, status=deferred (TLSA lookup error
for mail.deaecom.gov:25)
Sep 2 20:21:45 be03 postfix/qmgr[81586]: 4BhQWH3Gq7zBsQ1:
from=<REDACTEDUSER2.com>, size=2075122, nrcpt=1 (queue active)
Sep 2 20:21:46 be03 postfix/smtp[83698]: 4BhQWH3Gq7zBsQ1: enabling PIX
workarounds: disable_esmtp delay_dotcrlf for
mail.deaecom.gov[149.101.26.25]:25
Sep 2 20:21:56 be03 postfix/smtp[83698]: 4BhQWH3Gq7zBsQ1:
to=<redactedus...@deaecom.gov>,
relay=mail.deaecom.gov[149.101.26.25]:25, delay=23033,
delays=23023/0.01/0.1/11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as ADE4E10405B)
Sep 2 20:21:56 be03 postfix/qmgr[81586]: 4BhQWH3Gq7zBsQ1: removed
postconf -n:
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 90s
enable_long_queue_ids = yes
header_checks = pcre:$config_directory/header_checks
html_directory = /usr/local/share/doc/postfix
inet_interfaces = be03-outbound.REDACTEDDOMAIN
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 1d
meta_directory = /usr/local/libexec/postfix
myhostname = be03-outbound.REDACTEDDOMAIN
mynetworks = REDACTEDNET
mynetworks_style = subnet
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtp_dns_support_level = dnssec
smtp_tls_loglevel = 1
smtp_tls_security_level = dane
smtpd_relay_restrictions = permit_mynetworks,reject
unknown_local_recipient_reject_code = 550
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
