On Mon, May 03, 2021 at 01:56:32PM +0200, Bjoern Franke wrote:
> It seems neusta.de can be added to the list:
>
> posttls-finger neusta.de
> posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
> found. Name service error for name=_25._tcp.smtp-relay-in-s1.neusta.de
> type=TLSA: Host not found, try again
> posttls-finger: Failed to establish session to neusta.de via
> smtp-relay-in-s1.neusta.de: TLSA lookup error for
> smtp-relay-in-s1.neusta.de:25
>
> Postfix uses knot-resolver, knot-resolver disables QNAME-minimization
> automatically.
I am not sure what you mean by "disables QNAME-minimisation
automatically", but if it is on by default, and subject to some sort of
dynamic fallback, I strongly recommend that you instead disable it
*statically* (always off), or set a very small limit on the number of
labels for which it is applied:
- No qname minimisation after the first two labels, the first
3-label query should be the full domain.
My resolver has no trouble getting denial of existence for this
domain (which foolishly uses NSEC3 opt-out, but that's typically
harmless):
neusta.de. IN MX 10 smtp-relay-in-s1.neusta.de. ; NoError AD=1
smtp-relay-in-s1.neusta.de. IN A 82.198.213.163 ; NoError AD=1
smtp-relay-in-s1.neusta.de. IN AAAA ? ; NODATA AD=1
_25._tcp.smtp-relay-in-s1.neusta.de. IN TLSA ? ; NXDomain AD=0
Thus posttls-finger also works:
$ posttls-finger -c -Lsummary neusta.de
posttls-finger: certificate verification failed for
smtp-relay-in-s1.neusta.de[82.198.213.163]:25: untrusted issuer
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate
Services
posttls-finger: Untrusted TLS connection established to
smtp-relay-in-s1.neusta.de[82.198.213.163]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
I use "unbound" with qname minimisation not enabled.
--
Viktor.
