On 8/16/23 13:55, Viktor Dukhovni via Postfix-users wrote:
There's good reason for that, your MX host has DANE TLSA records that don't match its certificate chain:
Thanks for pointing this out, I forgot to update it when migrating from RSA to ECC certificate. On 8/16/23 13:55, Viktor Dukhovni via Postfix-users wrote:
Your server refuses SMTP connections from the DANE survey, flopster.at.encryp.ch[65.21.140.233]: GREETING 554 5.7.1 <dnssec-stats.ant.isi.edu>: Unverified Client host rejected: opt-out from the research flopster.at.encryp.ch[2a01:4f9:3b:2a5f:86e2:89a:e1f7:b837]: GREETING 554 5.7.1 <dnssec-stats.ant.isi.edu>: Unverified Client host rejected: opt-out from the research so, unfortunately, you've also not been previously notified of this problem. I would like to encourage postmasters to not block SMTP connections from the DANE survey: https://stats.dnssec-tools.org/about.html There is typically just one connection a day per MX IP address, perhaps a couple of extra connections if a problem is found. Far less hassle (a few extra *lines* in the log per day) than not being able to receive mail. And you contribute to the survey stats.
Oh, haven't thought it has such functionality (shodan/censys/etc never reached me due to any security issues found). _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
