On Tue, May 02, 2023 at 07:03:55PM -0400, PGNet Dev via Postfix-users wrote:
> > Also look into other possibilities, the DST Root issue is a bit of a
> > longshot. If you can get an account on Outlook.com, send mail and
> > see if it bounces with usable diagnostics in the bounce.
>
> I changed the preferred chain here, and for all my domains (thx o/ !).
> it certainly didn't hurt.
Presumably you then also *force* renewed the certificate chain.
> But, i'm increasingly sure that your original speculation was correct
> -- bad rollover. cleaning up DNS config, and forcing a clean
> rollover, seems to have done the trick.
But your original chain did validate as far as posttls-finger was
concerned, so perhaps the root CA was the issue?
> After the dns cleanup, switching BACK the preferred chain didn't
> reinit the issue.
Did you *force* renewal at that point?
> When I looked at the logs I was given, DNSSEC/dane issues didn't leap
> out at me -- but you mentioned them.
>
> What in those logs suggested DNSSEC/dane to you? Anything specific,
> or just likelihood?
Microsoft is one of the few *large* email providers (Google, Microsoft,
Yahoo) that supports DANE (for now just outbound). But DANE appeared to
be fine on your end.
> In any case, I want to set up a DNSSEC rollover 'canary' ...
> tool/script that'll notify me on failures, like "this". Before I cobble
> something up from scratch -- is there a recommended/best-practice tool
> for the job?
See
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources#221-deployment-and-monitoring
Perhaps, specifically: https://github.com/PennockTech/smtpdane but let
us know which worked out best for you.
However, perhaps simple is best in which case tweak the attached bash
shell script to meet your needs. Note this only tests one IP address
per probe, a full check would try all IP addresses both IPv4 and IPv6 as
well as all permutations of TLS 1.2/1.3 and preferred public key
algorithm. Extending the script to do more tests should be easy.
Sample output from "danesmtp mx1-edge.pgnetwork.net":
=== TLS 1.3 with ECDSA preferred:
verify depth is 9
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Peer certificate: CN = mx1-edge.pgnetwork.net
Hash used: SHA384
Signature type: ECDSA
Verification: OK
DANE TLSA 3 1 2 ...18133fc2d94d1260e012bf5a matched EE certificate at depth 0
Server Temp Key: X25519, 253 bits
250 SMTPUTF8
DONE
=== TLS 1.3 with RSA preferred:
verify depth is 9
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Peer certificate: CN = mx1-edge.pgnetwork.net
Hash used: SHA384
Signature type: ECDSA
Verification: OK
DANE TLSA 3 1 2 ...18133fc2d94d1260e012bf5a matched EE certificate at depth 0
Server Temp Key: X25519, 253 bits
250 SMTPUTF8
DONE
=== TLS 1.3 with EDDSA preferred:
verify depth is 9
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Peer certificate: CN = mx1-edge.pgnetwork.net
Hash used: SHA384
Signature type: ECDSA
Verification: OK
DANE TLSA 3 1 2 ...18133fc2d94d1260e012bf5a matched EE certificate at depth 0
Server Temp Key: X25519, 253 bits
250 SMTPUTF8
DONE
=== TLS 1.2 with ECDSA preferred:
verify depth is 9
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-ECDSA-AES256-GCM-SHA384
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer certificate: CN = mx1-edge.pgnetwork.net
Hash used: SHA256
Signature type: ECDSA
Verification: OK
DANE TLSA 3 1 2 ...18133fc2d94d1260e012bf5a matched EE certificate at depth 0
Supported Elliptic Curve Point Formats:
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: X448, 448 bits
250 SMTPUTF8
DONE
=== TLS 1.2 with RSA preferred:
verify depth is 9
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-ECDSA-AES256-GCM-SHA384
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer certificate: CN = mx1-edge.pgnetwork.net
Hash used: SHA256
Signature type: ECDSA
Verification: OK
DANE TLSA 3 1 2 ...18133fc2d94d1260e012bf5a matched EE certificate at depth 0
Supported Elliptic Curve Point Formats:
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Server Temp Key: X448, 448 bits
250 SMTPUTF8
DONE
--
Viktor.
#! /usr/bin/env bash
if [ $# -eq 0 ]; then
host=$(uname -n)
else
host="$1"
shift
fi
if ! printf "%s\n" "$host" | grep -s -q '\.'; then
host=$(
(
dig +search +noall +ans +nocl +nottl -t a "$host"
dig +search +noall +ans +nocl +nottl -t aaaa "$host"
) | awk '$2 == "A" || $2 == "AAAA" {print $1; exit}' |
sed 's/\.$//'
)
fi
danesmtp () {
local host=$1
shift
local opts=(-starttls smtp "$@" -connect "$host:25" -verify 9 \
-verify_return_error -brief \
-dane_ee_no_namechecks -dane_tlsa_domain "$host")
set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
egrep -i '^[23] [01] [012] [0-9a-f]+$')
while [ $# -ge 4 ]; do
opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4")
shift 4
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client "${opts[@]}" 2>&1
}
err=0
ecdsa="ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512"
rsa="RSA+SHA256:RSA+SHA384:RSA+SHA512"
rsapss="RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512"
rsapss_pss="rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512"
rsaall="$rsa:$rsapss:$rsapss_pss"
eddsa="ed25519:ed448"
# First with ECDSA preferred
printf "\n=== TLS 1.3 with ECDSA preferred:\n"
danesmtp "$host" -tls1_3 -sigalgs "$ecdsa:$rsaall:$eddsa" || {
err=$?
printf "TLS 1.3 with ECDSA preferred failed\n"
}
# Next with RSA preferred over ECDSA
printf "\n=== TLS 1.3 with RSA preferred:\n"
danesmtp "$host" -tls1_3 -sigalgs "$rsaall:$ecdsa:$eddsa" || {
err=$?
printf "TLS 1.3 with RSA preferred failed\n"
}
# Next with EDDSA preferred over ECDSA and RSA
printf "\n=== TLS 1.3 with EDDSA preferred:\n"
danesmtp "$host" -tls1_3 -sigalgs "$eddsa:$ecdsa:$rsaall" || {
err=$?
printf "TLS 1.3 with EDDSA preferred failed\n"
}
# Next with TLSv1.2 and ECDSA
printf "\n=== TLS 1.2 with ECDSA preferred:\n"
danesmtp "$host" -tls1_2 -sigalgs "$ecdsa:$rsa" \
-cipher 'aRSA:-aRSA:aECDSA:-aECDSA:HIGH:!COMPLEMENTOFDEFAULT' || {
err=$?
printf "TLS 1.2 with ECDSA preferred failed\n"
}
# Next with TLSv1.2 and RSA
printf "\n=== TLS 1.2 with RSA preferred:\n"
danesmtp "$host" -tls1_2 -sigalgs "$rsa:$ecdsa" \
-cipher 'aECDSA:-aECDSA:aRSA:-aRSA:HIGH:!COMPLEMENTOFDEFAULT' || {
err=$?
printf "TLS 1.2 with RSA preferred failed\n"
}
exit $err
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
