On Wed, Jun 26, 2024 at 11:26:59AM +0200, Gerd Hoerst via Postfix-users wrote:
> I checked my domain with posttls-finger it brings some errors (I can > only do it on the machine itself) > > posttls-finger: warning: DNSSEC validation may be unavailable > posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response > that is not DNSSEC validated That's the reason you're unable to verify your TLSA records, the resolver in /etc/resolv.conf is not a DNSSEC-validating resolver, or you're missing "options trust-ad" in /etc/resolv.conf. > posttls-finger: Untrusted TLS connection established to > vserver.hoerst.net[127.0.1.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 > (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) > server-digest SHA256.... This is just a consequence. You're DANE setup is presently fine: $ posttls-finger -c -Lsummary hoerst.net posttls-finger: Verified TLS connection established to vserver.hoerst.net[2a03:4000:6:4304:c8a2:c3ff:fe93:ccda]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 $ danesmtp vserver.hoerst.net CONNECTION ESTABLISHED Protocol version: TLSv1.3 Ciphersuite: TLS_AES_256_GCM_SHA384 Peer certificate: CN = vserver.hoerst.net Hash used: SHA256 Signature type: RSA-PSS Verification: OK DANE TLSA 3 1 1 ...36fb9fa74536c5f9274ad0b1 matched EE certificate at depth 0 Server Temp Key: X25519, 253 bits 250 CHUNKING DONE $ echo $? 0 However, your "2 1 1" record will stop working next time your certificate is renewed. See: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html -- Viktor. The "danesmtp" bash function is intended for integration into monitoring scripts. Monitoring is NOT optional with DANE, unmonitored security systems are useless impediments. danesmtp () { local OPTIND=1 opt local -a rrs sslopts local rr i=0 host addr while getopts a: opt; do case $opt in a) addr=$OPTARG case $addr in *:*) addr="[$addr]" ;; esac;; *) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n' return 1;; esac done shift $((OPTIND - 1)) host=$1 shift if [[ -z "$addr" ]]; then addr="$host" fi sslopts=(-starttls smtp -connect "$addr:25" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host") rrs=($(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$')) while (( i < ${#rrs[@]} - 3 )); do rr=${rrs[@]:$i:4} i=$((i+4)) sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr") done ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@" } _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org