Hello, Since I upgraded to debian 11 (postfix 3.5.6, was 3.4.14), my cluster fails inter-node deliveries.
I have TLSA errors in logs: Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: warning: TLS policy lookup error for [corrin.geekwu.org]:26/corrin.geekwu.org: no TLSA records found Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: warning: TLS policy lookup error for [corrin.geekwu.org]:26/corrin.geekwu.org: no TLSA records found Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: warning: TLS policy lookup error for [corrin.geekwu.org]:26/corrin.geekwu.org: no TLSA records found Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: warning: TLS policy lookup for [corrin.geekwu.org]:26/corrin.geekwu.org: no TLSA records found Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: warning: TLS policy lookup for [corrin.geekwu.org]:26/corrin.geekwu.org: no TLSA records found Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: warning: TLS policy lookup for [corrin.geekwu.org]:26/corrin.geekwu.org: no TLSA records found Aug 24 16:09:26 arrakeen postfix/cluster/smtp[992382]: 25DC06C3F5: to=<**@durel.org>, orig_to=<**@geekwu.org>, relay=none, delay=330685, delays=330685/0.04/0/0, dsn=4.7.5, status=deferred (no TLSA records found) despite having TLSA records, validating on the local machine : root@arrakeen:/etc/postfix# dig @127.0.0.1 +dnssec tlsa _25._tcp.corrin.geekwu.org. ; <<>> DiG 9.16.15-Debian <<>> @127.0.0.1 +dnssec tlsa _25._tcp.corrin.geekwu.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51761 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;_25._tcp.corrin.geekwu.org. IN TLSA ;; ANSWER SECTION: _25._tcp.corrin.geekwu.org. 3447 IN TLSA 3 1 1 FAE929F83350BA24E5A8BFF29680E2EAE0179D9A906DA7F5C1272765 9D7D5853 _25._tcp.corrin.geekwu.org. 3447 IN RRSIG TLSA 14 5 3600 20210902021717 20210819004717 15961 geekwu.org. tlZKOyKWPh1SmeyUkvGgtdnl8ZJE9Ce4e1weh6QHRLdto9Ru+FrzBib2 Q2JHc3rb+FfFvmpi8Kg77Yb4aM5pU8UjpkQAuEnR/zzlkWV9TBu3bxp/ htJZbpXq5FAFyEFz ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mar. août 24 15:57:26 CEST 2021 ;; MSG SIZE rcvd: 240 root@arrakeen:/etc/postfix# dig @127.0.0.1 +dnssec tlsa _26._tcp.corrin.geekwu.org. ; <<>> DiG 9.16.15-Debian <<>> @127.0.0.1 +dnssec tlsa _26._tcp.corrin.geekwu.org. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50364 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;_26._tcp.corrin.geekwu.org. IN TLSA ;; ANSWER SECTION: _26._tcp.corrin.geekwu.org. 3434 IN TLSA 3 1 1 FAE929F83350BA24E5A8BFF29680E2EAE0179D9A906DA7F5C1272765 9D7D5853 _26._tcp.corrin.geekwu.org. 3434 IN RRSIG TLSA 14 5 3600 20210902021717 20210819004717 15961 geekwu.org. irMZhx8TE3/FpBXzDWGDHJC9AfZndE4ohnzi9WDHp8VEv26Ku75yEmh7 JxcEvMfE0HXCK2rmQe+jQSKIBgrhCG3/6TwUYBPQDsd3deQzjWy63bPX ahjyophcItfzUd7B ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mar. août 24 15:57:35 CEST 2021 ;; MSG SIZE rcvd: 240 How can I find why these records are not found now ? I've configured the inter-node relay in master.cf as this: lrelay unix - - y - - smtp -o sender_canonical_maps=fail: -o syslog_name=postfix/cluster -o smtp_tls_security_level=dane-only -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt It's selected by a ldap table : server_host = localhost search_base = ou=qmail,dc=geekwu,dc=org query_filter = (&(|(mail=%s)(mailAlternateAddress=%s))(accountStatus=active)(!(mailHost=arrakeen.geekwu.org))) result_attribute = mailHost result_format = lrelay:[%s]:26 Regards, -- Bastien
