[pfx] Re: (DNSSEC, RedHat, comcast.net, ...)

2025-03-07 Thread John Griffiths via Postfix-users
Thank you Victor, but the code in the mail log is 450 which, whether it is generated by the DNS or postfix is still a "try again later." My post to the group is a "thank you" not a "I need help." We run our own DNS which is authoritative for our domain and uses root hints to retrieve addresses

Re: DNSSEC/DANE: TLSA records looked up for parent domain

2022-02-17 Thread Paul Menzel
Dear Postfix folks, Am 17.02.22 um 10:57 schrieb Paul Menzel: Using Postfix 3.6.0-rc1, for an email sent to x.y.molgen.mpg.de it looks up the TLSA records for y.molgen.mpg.de instead of x.y.molgen.mpg.de:     2022-02-12T12:02:21+01:00 tldr postfix/smtp[25656]: warning: TLS policy lookup fo

Re: dnssec DS set, but no RRSIG

2021-11-15 Thread Viktor Dukhovni
On Mon, Nov 15, 2021 at 11:58:02AM +0800, Philip Paeps wrote: > On 2021-11-15 11:36:00 (+0800), Benny Pedersen wrote: > > plantmarknaden.com > > > > https://dane.sys4.de/smtp/plantmarknaden.com > > https://dnsviz.net/d/plantmarknaden.com/dnssec/ > > > > why diffrent results ? > > I don't see 'dif

Re: dnssec DS set, but no RRSIG

2021-11-14 Thread Philip Paeps
On 2021-11-15 11:36:00 (+0800), Benny Pedersen wrote: plantmarknaden.com https://dane.sys4.de/smtp/plantmarknaden.com https://dnsviz.net/d/plantmarknaden.com/dnssec/ why diffrent results ? I don't see 'different' results. That domain is broken. Neither of the listed DNS servers are returnin

Re: DNSSEC Howto?

2021-03-27 Thread Francesc Peñalvez
thanks Viktor El 28/03/2021 a las 1:21, Viktor Dukhovni escribió: On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote: Right now dnssec is activated in the external manager zoneedit.com, in which I cannot modify the type of encryption or the length of the key. If there are no k

Re: DNSSEC Howto?

2021-03-27 Thread Viktor Dukhovni
On Sun, Mar 28, 2021 at 01:08:44AM +0100, Francesc Peñalvez wrote: > Right now dnssec is activated in the external manager zoneedit.com, in > which I cannot modify the type of encryption or the length of the key. If there are no key size or algorithm settings in zoneedit.com, then indeed you're

Re: DNSSEC Howto?

2021-03-27 Thread Francesc Peñalvez
Right now dnssec is activated in the external manager zoneedit.com, in which I cannot modify the type of encryption or the length of the key. And if I am looking to activate inbound and outbound dnssec with my postfix El 28/03/2021 a las 1:03, Viktor Dukhovni escribió: On Sat, Mar 27, 2021 at

Re: DNSSEC Howto?

2021-03-27 Thread Viktor Dukhovni
On Sat, Mar 27, 2021 at 01:59:56PM +0100, Francesc Peñalvez wrote: > I have a connection of the domestic type, with 7 computers in an > internal network, in which I do not have access to make any changes to > the ip. I use external dns service to manage the bind9 service, > although I have another

Re: DNSSEC Howto?

2021-03-27 Thread Francesc Peñalvez
I have a connection of the domestic type, with 7 computers in an internal network, in which I do not have access to make any changes to the ip. I use external dns service to manage the bind9 service, although I have another installed and running locally. Both in the external and internal service

Re: DNSSEC Howto?

2021-03-27 Thread Viktor Dukhovni
On Sat, Mar 27, 2021 at 12:51:36PM +0100, Francesc Peñalvez wrote: > I have the dns of the domain managed externally, configured with > dnssec, and another host running postfix. How could I integrate that > postfix use the dnssec configuration? Would it be enough to add the > dns of the external s

Re: DNSSEC, DANE, Postfix for new-to-it admins?

2020-04-17 Thread PGNet Dev
On 4/17/20 4:29 PM, Viktor Dukhovni wrote: > More at: all links appreciated. the summary's particularly nicely readable by those of among the minion masses of normal humans ;-) > Postfix documentation covers the client side still among the best, most-exhaustively detailed s/docs/reference man/

Re: DNSSEC, DANE, Postfix for new-to-it admins?

2020-04-17 Thread Viktor Dukhovni
On Fri, Apr 17, 2020 at 03:59:49PM -0700, PGNet Dev wrote: > Real World DANE Inter-domain email transport > > https://static.ptbl.co/static/attachments/169319/1520904692.pdf More at: https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources Specific issues: https://g

Re: dnssec fails for domain with dnssec disabled

2019-02-23 Thread Viktor Dukhovni
On Sat, Feb 23, 2019 at 06:20:02PM +0100, Benny Pedersen wrote: > sorry for OT but > > named[29088]: validating ebokssmtp.e-boks.dk/A: no valid signature found > named[29088]: validating advisering.e-boks.dk/MX: no valid signature found > named[29088]: validating e-boks.dk/SOA: no valid signature

Re: DNSSEC - DANE

2014-12-31 Thread John
On December 31, 2014 12:37:52 PM Viktor Dukhovni wrote: On Wed, Dec 31, 2014 at 12:45:20AM -0500, John wrote: > https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1 > https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4 Sorry, Don't worry about it. https://tools.ietf.or

Re: DNSSEC - DANE

2014-12-31 Thread Viktor Dukhovni
On Wed, Dec 31, 2014 at 12:23:16AM -0500, John wrote: > >>smtpd_use_tls = yes > >>smtpd_tls_security_level = may > > Just so I get this right "/smtpd_tls_security_level = dane/" is acceptable, No, DANE TLS is for the sending (verifying) MTA only. -- Viktor.

Re: DNSSEC - DANE

2014-12-31 Thread Viktor Dukhovni
On Wed, Dec 31, 2014 at 12:45:20AM -0500, John wrote: > https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1 > https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4 Sorry, https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/html/draft-ietf-dane-

Re: DNSSEC - DANE

2014-12-30 Thread John
/smtpd_tls_security_level = dane/. postconf does not show any error for the above, but postfix itself does "fatal: invalid TLS level "dane" - I have switched back to may -- John Allen KLaM -- You are off the edge of the map, mate. Here there be monsters!

Re: DNSSEC - DANE

2014-12-30 Thread John
https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4 Both of the above return "object not found" I assume that as they are both draft docs they come and go as the editors update them. I will keep an eye on the site, hopefully catch t

Re: DNSSEC - DANE

2014-12-30 Thread John
On 12/30/2014 11:19 PM, Viktor Dukhovni wrote: On Tue, Dec 30, 2014 at 07:47:24PM -0500, John wrote: I have setup my DNS server for DNSSEC + DANE. I am using inline signing on Bind9 and it appears to be working for HTTPS access. I have a minor problem with key rolling, it seems to be a rather c

Re: DNSSEC - DANE

2014-12-30 Thread Viktor Dukhovni
On Tue, Dec 30, 2014 at 07:47:24PM -0500, John wrote: > I have setup my DNS server for DNSSEC + DANE. I am using inline signing on > Bind9 and it appears to be working for HTTPS access. > I have a minor problem with key rolling, it seems to be a rather cumbersome > process at the moment, but I sus

Re: DNSSEC - DANE

2014-12-30 Thread John
On 12/30/2014 7:58 PM, wie...@porcupine.org (Wietse Venema) wrote: Wietse Venema: John: *Dec 30 19:16:35 bilbo postfix/smtp[3376]: warning: [127.0.0.1]:10024: dane configured with dnssec lookups disabled* Have you noticed the "unused parameter" warning for smtp_dns_supporta_level? That is, wh

Re: DNSSEC - DANE

2014-12-30 Thread Wietse Venema
Wietse Venema: > John: > > *Dec 30 19:16:35 bilbo postfix/smtp[3376]: warning: [127.0.0.1]:10024: > > dane configured with dnssec lookups disabled* > > Have you noticed the "unused parameter" warning for smtp_dns_supporta_level? That is, when you use the postconf command to show the configurati

Re: DNSSEC - DANE

2014-12-30 Thread Wietse Venema
John: > *Dec 30 19:16:35 bilbo postfix/smtp[3376]: warning: [127.0.0.1]:10024: > dane configured with dnssec lookups disabled* Have you noticed the "unused parameter" warning for smtp_dns_supporta_level? Wietse

Re: DNSSEC

2014-02-26 Thread /dev/rob0
On Wed, Feb 26, 2014 at 01:32:09PM -0500, Charles Marcus wrote: > Well, I sent them the two responses I got here (from rob0 and > Victor), and, in addition to what I think is the real reason, > here is what they came back with: > > >domains are more likely to go down do to poor DNSSEC > >administ

Re: DNSSEC

2014-02-26 Thread Charles Marcus
On 2/25/2014 10:32 AM, Viktor Dukhovni wrote: My domains are (or will be when the transfer completes) signed with NSEC3. RFC 5155 (NSEC3) was published in 2008. The root zone was signed around 2010. DNSSEC is up and running. Well, I sent them the two responses I got here (from rob0 and Victor

Re: DNSSEC

2014-02-25 Thread Viktor Dukhovni
On Tue, Feb 25, 2014 at 09:07:13AM -0600, /dev/rob0 wrote: > > Curious what others (especially Victor) think of this response. > > Why are they 'firmly against' NSEC's 'enumeration of domains' > > feature, and the comment about 'very real issues...'... > > Good questions. I don't know. I don't ca

Re: DNSSEC

2014-02-25 Thread /dev/rob0
On Tue, Feb 25, 2014 at 08:21:14AM -0500, Charles Marcus wrote: > On 2/24/2014 3:52 PM, /dev/rob0 wrote: > >On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote: > >>Oh yes - DNSSEC. When will it come? In hundred years? > > > >Dirk, do you mind explaining this? Are you having trouble > >fi

Re: DNSSEC, was Re: TLS client logging PATCH

2014-02-25 Thread Charles Marcus
On 2/24/2014 3:52 PM, /dev/rob0 wrote: On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote: On Sun, 23 Feb 2014, Viktor Dukhovni wrote: If you want scalable security for SMTP, become an early adopter of DANE TLS, available in Postfix 2.11. Today, you'll be able to opportunistically a

Re: DNSSEC

2014-02-24 Thread Dirk Stöcker
On Mon, 24 Feb 2014, /dev/rob0 wrote: Oh yes - DNSSEC. When will it come? In hundred years? Dirk, do you mind explaining this? Are you having trouble finding DNSSEC-enabled DNS hosting? Reading about it for years - always with "Delayed" as main information (same like for IPv6). But OTOH dur