On Tue, Oct 17, 2023 at 12:42:39PM -0400, Viktor Dukhovni via Postfix-users
wrote:
> > [...] it took a while to realize that the above "STARTTLS,QUIT"
> > behaviour is due to the fact that said outbound systems do not like to come
> > across non-matching TLSA entries (for other certificates used by the
> > webserver) anymore.
>
> Are you *SURE* about that? That would be a substantial departure from
> the DANE specifications. Extraneous *non-matching* DANE TLSA records
> MUST be simply ignored. Any single *matching* TLSA records is
> sufficient.
It is also worth noting that "non-matching" TLSA records are
fundamentally unavoidable for SMTP servers with both RSA and ECDSA
certificates that publish DANE-EE(3) records. This includes
"postfix.org":
https://stats.dnssec-tools.org/explore/?postfix.org
https://testconnectivity.microsoft.com/result/72f862c1-fdab-46ab-4ba8-f32807a7c303
Any one TLS handshake will negotiate either RSA or ECDSA signature
algorithms, and will find only the corresponding TLSA records matching.
The TLSA record for non-selected algorithm's key will not match.
This can also apply when using "2 1 1" records for the intermediate CA,
if different intermediate issuers are used for RSA vs. ECDSA, as is the
case with Let's Encrypt (R3/R4 vs. E1/E2).
So I am very sceptical that Microsoft have issues delivering mail based
on mere presence of some non-matching TLSA records. The bounces the OP
alluded to (with no specifics as to what reason was reported in the
bounce beyond "a message on LinkedIn telling me that a number of e-mails
sent via Microsoft's outbound systems had bounced") could even be
entirely unrelated to DANE (red herring).
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
