Dear Postfix folks,
Am 17.02.22 um 10:57 schrieb Paul Menzel:
Using Postfix 3.6.0-rc1, for an email sent to x.y.molgen.mpg.de it looks
up the TLSA records for y.molgen.mpg.de instead of x.y.molgen.mpg.de:
2022-02-12T12:02:21+01:00 tldr postfix/smtp[25656]: warning: TLS policy
lookup for github.molgen.mpg.de/github.molgen.mpg.de: no TLSA records found
2022-02-12T12:02:21+01:00 tldr postfix/smtp[25656]: 6D99D61E6478B:
to=<reply+aaaacsicemwr3r6pflrtadwacnzzlevbnhgs...@reply.github.molgen.mpg.de>,
relay=none, delay=0.3, delays=0.28/0.02/0/0, dsn=4.7.5, status=deferred (no TLSA
records found)
I forgot to mention, that this is all handled internally. I haven’t
tried from another domain.
Not that we have dane-only TLS policy configured for our domains, as we
use DNSSEC and the MTAs all have TLSA records published. (And dane TLS
policy unfortunately falls back to encrypt and not secure.)
Indeed for github.molgen.mpg.de no MX record exists, but there shouldn’t
as the message goes to reply.github.molgen.mpg.de:
$ dig mx reply.github.molgen.mpg.de +dnssec +short
5 mx3.molgen.mpg.de.
MX 7 5 7200 20220318110038 20220216110038 14960 molgen.mpg.de.
kTDvX9PKXC9sk96QViR09wUATN3m96sz6Ha6FrMRBrjxUa1OU1AdhvVj
cJbRyetiHy3v+uOPdrng4NLVAow/omnF7Ph0twfz9p9EXUfOBBC/6QJJ
Ym5JfxgjDWReHVFw5Y+duQSXtvSOjJR0KwHECtcAClWxO0e98/EtvEmP
TQajwIkw5sA8wOmcIMu6BKIjaEZvEVB6NQxT72HrEpNbsKWnbBWfj71k
qYag1hsmuVWzjLtN8E2AtPYic13x55t8tV1hEnlHcgFAp2Fya1y+o6hA
okDMrg9JUf3/qSjjox3hY78IKAcw8KDz8DEwvjBnr76/6ut9zQ2oIc+P XA7N+w==
$ dig _25._tcp.mx3.molgen.mpg.de IN TLSA +short
3 1 2 7AAD43A0FDFF34452CA695A2B510F613A2997077E4C2EDFF2B32DE36
26552C2832EF72F5DC12B5FE3984BAFE1B87406207EDAD34A4F3E11F 49CD4A23DB83374C
The DANE SMTP Validator verifies, that it should work for
reply.github.molgen.mpg.de [1].
Any idea, why github.molgen.mpg.de is looked at?
Kind regards,
Paul
[1]: https://dane.sys4.de/smtp/reply.github.molgen.mpg.de
