On Wed, Jun 26, 2024 at 11:26:59AM +0200, Gerd Hoerst via Postfix-users wrote:
> I checked my domain with posttls-finger it brings some errors (I can
> only do it on the machine itself)
>
> posttls-finger: warning: DNSSEC validation may be unavailable
> posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response
> that is not DNSSEC validated
That's the reason you're unable to verify your TLSA records, the
resolver in /etc/resolv.conf is not a DNSSEC-validating resolver,
or you're missing "options trust-ad" in /etc/resolv.conf.
> posttls-finger: Untrusted TLS connection established to
> vserver.hoerst.net[127.0.1.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
> (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
> server-digest SHA256....
This is just a consequence. You're DANE setup is presently fine:
$ posttls-finger -c -Lsummary hoerst.net
posttls-finger: Verified TLS connection established to
vserver.hoerst.net[2a03:4000:6:4304:c8a2:c3ff:fe93:ccda]:25: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
$ danesmtp vserver.hoerst.net
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = vserver.hoerst.net
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
DANE TLSA 3 1 1 ...36fb9fa74536c5f9274ad0b1 matched EE certificate at depth 0
Server Temp Key: X25519, 253 bits
250 CHUNKING
DONE
$ echo $?
0
However, your "2 1 1" record will stop working next time your
certificate is renewed. See:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
--
Viktor.
The "danesmtp" bash function is intended for integration into monitoring
scripts. Monitoring is NOT optional with DANE, unmonitored security
systems are useless impediments.
danesmtp ()
{
local OPTIND=1 opt
local -a rrs sslopts
local rr i=0 host addr
while getopts a: opt; do
case $opt in
a) addr=$OPTARG
case $addr in
*:*) addr="[$addr]" ;;
esac;;
*) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n'
return 1;;
esac
done
shift $((OPTIND - 1))
host=$1
shift
if [[ -z "$addr" ]]; then
addr="$host"
fi
sslopts=(-starttls smtp -connect "$addr:25" -verify 9
-verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host")
rrs=($(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23]
[01] [012] [0-9a-f]+$'))
while (( i < ${#rrs[@]} - 3 )); do
rr=${rrs[@]:$i:4}
i=$((i+4))
sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief
"${sslopts[@]}" "$@"
}
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
