[pfx] Re: MTA-STS / DANE - postfix-tlspol

Thu, 05 Jun 2025 15:16:15 -0700 

Thank you Viktor & Wietse!

I think it may be some DNS related issue on my servers local bind9/named
install. It acts as its own nameserver with glue records. The sending domain
on It is DNSSEC signed. (the one I am sending mail from now). 

When I use the dig command to lookup the TLSA it can find them. But somehow
with postfix not. 

But I now removed localhost as local DNS resolver and use google or quad9
instead. 

For testing I tried with "dane-only" policy with and without postfix-tlspol
and it works fine. 

Luca.


-----Ursprüngliche Nachricht-----
Von: Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> 
Gesendet: Donnerstag, 5. Juni 2025 21:52
An: postfix-users@postfix.org
Betreff: [pfx] Re: MTA-STS / DANE - postfix-tlspol

On Thu, Jun 05, 2025 at 09:11:01PM +0200, Luca vom Bruch via Postfix-users
wrote:

> to=<ld-879a626...@learndmarc.com>, relay=none, delay=0.64, 
> delays=0.1/0.02/0.51/0, dsn=4.7.5, status=deferred (no TLSA records 
> found)

That's odd, when I query the DNS, I see DNSSEC-signed MX records for the
domain with signed A, AAAA and TLSA records for its MX host:

    ; NOERROR qr rd ra ad
    learndmarc.com. IN MX 10 uriports.com.

    ; NOERROR qr rd ra ad
    uriports.com. IN A 87.239.13.42

    ; NOERROR qr rd ra ad
    uriports.com. IN AAAA 2001:678:6a0::3:101

    ; NOERROR qr rd ra ad
    _25._tcp.uriports.com. IN TLSA 3 1 1
11593c9337b95ce900a00e3a030f2d156a6a3d71681ce745aa11dba6dd0c0afc

Your delivery agent for this domain seems to be unable to make
DNSSEC-validated queries, getting a false indication of TLSA record absence.

> The developer suggested this is a config issue of mine, so maybe, here 
> is my config:

Look in master.cf first, for the relevant delivery agent, then also check
your /etc/resolv.conf file, ...

> smtp_dns_support_level = dnssec
> smtp_host_lookup = dns
> tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM

FWIW, the cipherlist looks much too specific (counterproductive attempt to
raise security that does nothing of the sort).

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send
an email to postfix-users-le...@postfix.org


_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to