[pfx] Re: DANE and DNSSEC

Fri, 19 May 2023 06:14:41 -0700 

Benny Pedersen via Postfix-users <postfix-users@postfix.org> writes:

> Byung-Hee HWANG via Postfix-users skrev den 2023-05-19 04:26:
>
>> Thanks for advice!
>> 
>>>        [renewalparams]
>>>        reuse_key = True
>>>        preferred_chain = ISRG Root X1
>
>> And
>> I can't say anything yet. I need some test for long time. If i am sure
>> what DANE is,
>
> posttls-finger example.org, basic test to test outbound

<quote>
soyeomul@yw-1130:~/git/karma/Gnus/DKIM$ ./ct.py yw-1204.doraji.xyz
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = yw-1204.doraji.xyz
verify return:1
250 CHUNKING
DONE
notBefore=May 19 06:01:23 2023 GMT
notAfter=Aug 17 06:01:22 2023 GMT
^^^
posttls-finger: using DANE RR: _25._tcp.yw-1204.doraji.xyz -> _dane.doraji.xyz 
IN TLSA 2 1 1 
8D:02:53:6C:88:74:82:BC:34:FF:54:E4:1D:2B:A6:59:BF:85:B3:41:A0:A2:0A:FA:DB:58:13:DC:FB:CF:28:6D
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: depth=1 matched 
trust anchor public-key sha256 
digest=8D:02:53:6C:88:74:82:BC:34:FF:54:E4:1D:2B:A6:59:BF:85:B3:41:A0:A2:0A:FA:DB:58:13:DC:FB:CF:28:6D
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: depth=0 chain is 
trust-anchor signed
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: Matched 
subjectAltName: yw-1204.doraji.xyz
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25 CommonName 
yw-1204.doraji.xyz
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: 
subject_CN=yw-1204.doraji.xyz, issuer_CN=R3, 
fingerprint=A7:84:A8:5B:69:A4:A2:2A:00:AC:CC:17:AA:EF:C0:D8:C3:BC:B4:CF:FC:D4:F3:19:5D:96:AA:45:19:44:94:BE,
 
pkey_fingerprint=B4:B0:6C:36:72:78:08:CB:3E:27:2F:43:8C:C6:F1:A7:7E:E3:70:C5:0D:FB:24:EB:57:74:A6:11:3E:4C:6C:0F
posttls-finger: Verified TLS connection established to 
yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256
soyeomul@yw-1130:~/git/karma/Gnus/DKIM$ 
</quote>

After read mails of Viktor+Joachim, i moved to "2 1 1" from "3 1
1". Still i am testing... So i can't say anything for a while.

>> i will setup inbond server (yw-0919.doraji.xyz) with DANE.
>
> inbound is STARTTLS only

Thank you!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to