Thank you Viktor & Wietse! I think it may be some DNS related issue on my servers local bind9/named install. It acts as its own nameserver with glue records. The sending domain on It is DNSSEC signed. (the one I am sending mail from now).
When I use the dig command to lookup the TLSA it can find them. But somehow with postfix not. But I now removed localhost as local DNS resolver and use google or quad9 instead. For testing I tried with "dane-only" policy with and without postfix-tlspol and it works fine. Luca. -----Ursprüngliche Nachricht----- Von: Viktor Dukhovni via Postfix-users <[email protected]> Gesendet: Donnerstag, 5. Juni 2025 21:52 An: [email protected] Betreff: [pfx] Re: MTA-STS / DANE - postfix-tlspol On Thu, Jun 05, 2025 at 09:11:01PM +0200, Luca vom Bruch via Postfix-users wrote: > to=<[email protected]>, relay=none, delay=0.64, > delays=0.1/0.02/0.51/0, dsn=4.7.5, status=deferred (no TLSA records > found) That's odd, when I query the DNS, I see DNSSEC-signed MX records for the domain with signed A, AAAA and TLSA records for its MX host: ; NOERROR qr rd ra ad learndmarc.com. IN MX 10 uriports.com. ; NOERROR qr rd ra ad uriports.com. IN A 87.239.13.42 ; NOERROR qr rd ra ad uriports.com. IN AAAA 2001:678:6a0::3:101 ; NOERROR qr rd ra ad _25._tcp.uriports.com. IN TLSA 3 1 1 11593c9337b95ce900a00e3a030f2d156a6a3d71681ce745aa11dba6dd0c0afc Your delivery agent for this domain seems to be unable to make DNSSEC-validated queries, getting a false indication of TLSA record absence. > The developer suggested this is a config issue of mine, so maybe, here > is my config: Look in master.cf first, for the relevant delivery agent, then also check your /etc/resolv.conf file, ... > smtp_dns_support_level = dnssec > smtp_host_lookup = dns > tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM FWIW, the cipherlist looks much too specific (counterproductive attempt to raise security that does nothing of the sort). -- Viktor. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
