On Tue, Oct 17, 2023 at 12:42:39PM -0400, Viktor Dukhovni via Postfix-users wrote:
> > [...] it took a while to realize that the above "STARTTLS,QUIT" > > behaviour is due to the fact that said outbound systems do not like to come > > across non-matching TLSA entries (for other certificates used by the > > webserver) anymore. > > Are you *SURE* about that? That would be a substantial departure from > the DANE specifications. Extraneous *non-matching* DANE TLSA records > MUST be simply ignored. Any single *matching* TLSA records is > sufficient. It is also worth noting that "non-matching" TLSA records are fundamentally unavoidable for SMTP servers with both RSA and ECDSA certificates that publish DANE-EE(3) records. This includes "postfix.org": https://stats.dnssec-tools.org/explore/?postfix.org https://testconnectivity.microsoft.com/result/72f862c1-fdab-46ab-4ba8-f32807a7c303 Any one TLS handshake will negotiate either RSA or ECDSA signature algorithms, and will find only the corresponding TLSA records matching. The TLSA record for non-selected algorithm's key will not match. This can also apply when using "2 1 1" records for the intermediate CA, if different intermediate issuers are used for RSA vs. ECDSA, as is the case with Let's Encrypt (R3/R4 vs. E1/E2). So I am very sceptical that Microsoft have issues delivering mail based on mere presence of some non-matching TLSA records. The bounces the OP alluded to (with no specifics as to what reason was reported in the bounce beyond "a message on LinkedIn telling me that a number of e-mails sent via Microsoft's outbound systems had bounced") could even be entirely unrelated to DANE (red herring). -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org