Am 07.11.2014 um 14:04 schrieb Bernhard Schmidt: > Hi, > > we run our outbound mailservers with DANE/DNSSEC enabled for quite some > time now. Works great. > > It looks like one of the two MX for the German government changed > implementation yesterday, it now offers TLSv1.2 with ECDHE ciphers and a > new certificate. They apparently forgot to update the TLSA record > though, which makes smtp_tls_security_level=dane rightfully fail the > connection and switch over to mx1.bund.de > > Nov 7 11:45:31 lxmhs51 postfix-postout/smtp[3655]: Untrusted TLS > connection established to mx2.bund.de[77.87.224.131]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Nov 7 11:45:31 lxmhs51 postfix-postout/smtp[3655]: 3jYytM0BhVzyQK: > Server certificate not trusted > Nov 7 11:45:31 lxmhs51 postfix-postout/smtp[3655]: Verified TLS > connection established to mx1.bund.de[77.87.224.163]:25: TLSv1 with > cipher DHE-RSA-AES256-SHA (256/256 bits) > > However, sometimes mx2.bund.de negotiates an Anonymous TLS connection > and the mail gets delivered > > Nov 7 11:04:39 lxmhs52 postfix-postout/smtp[18391]: Anonymous TLS > connection established to mx2.bund.de[77.87.224.131]:25: TLSv1.2 with > cipher AECDH-AES256-SHA (256/256 bits) > Nov 7 11:04:39 lxmhs52 postfix-postout/smtp[18391]: 3jYxzC541LzyYf: > to=<[email protected]>, relay=mx2.bund.de[77.87.224.131]:25, delay=0.32, > delays=0.05/0/0.16/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as > E353315D45B) > > Two questions: > - Why is the connection established using Anonymous TLS? According to > postconf(5) it should be transparently excluded, see > > smtp_tls_security_level (default: empty) > [..] > dane Opportunistic DANE TLS. At this security level, the > [...] > For pur‐ > poses of protocol and cipher selection, the "dane" > security level is treated like a "manda‐ > tory" TLS security level, and weak ciphers and protocols > are disabled. Since DANE authenti‐ > cates server certificates the "aNULL" cipher-suites are > transparently excluded at this level, > no need to configure this manually. RFC 6698 (DANE) > TLS authentication is available with > Postfix 2.11 and later. > > - Why are Untrusted TLS connections dropped, but the arguably even > weaker Anonymous TLS connections accepted? > > Postfix 2.11.2 on Debian Wheezy. Configuration is quite long, the > TLS/DNSSEC specific postconf -n output is this: > > smtp_dns_support_level = dnssec > smtp_tls_CApath = /etc/ssl/certs > smtp_tls_loglevel = 1 > smtp_tls_policy_maps = hash:${config_directory}/maps/tls_policy.hash > smtp_tls_security_level = dane > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtp_use_tls = yes > smtpd_tls_CApath = ${config_directory}/certs > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = ${config_directory}/xxx.crt > smtpd_tls_key_file = ${config_directory}/xxx.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > tls_append_default_CA = no > tls_compat_cipherlist = aNULL+AES128:aRSA+AES128:RC4-SHA:@STRENGTH > > tls_compat_cipherlist comes from > https://groups.google.com/forum/#!msg/mailing.postfix.users/gTVBKQyd_Ho/DMEPBOcZGXUJ > and is only active on a dedicated exchangerelay transport as described > in that post. > > Bernhard >
seems your right posttls-finger -a ipv4 -c -l dane -L summary bund.de posttls-finger: Untrusted TLS connection established to mx2.bund.de[77.87.224.131]:25: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) ./dnssec-check.py bund.de Checking domain: bund.de ---------------- bund.de is insecure A-Record returned (1 Records) RCODE: NoError (AD: 0) bund.de is secure AAAA-Record returned (0 Records) RCODE: NoError (AD: 1) www.bund.de is insecure A-Record returned (1 Records) RCODE: NoError (AD: 0) www.bund.de is secure AAAA-Record returned (0 Records) RCODE: NoError (AD: 1) Got ZSK Got KSK DS Key-ID matches KSK-Key-ID Got ZSK Mailhost: mx3.bund.de. Mailhost: mx1.bund.de. Mailhost: mx2.bund.de. RRSIG expire values: > _25._tcp.mx3.bund.de.::TLSA valid from 2014-11-07 11:28:01 to 2014-11-17 11:28:01 for 9 days, 20:30:59.162919 > _25._tcp.mx2.bund.de.::TLSA valid from 2014-11-07 11:28:01 to 2014-11-17 11:28:01 for 9 days, 20:30:59.133092 > bund.de::DNSKEY valid from 2014-11-07 10:48:01 to 2014-11-17 10:48:01 for 9 days, 19:50:59.132795 > _443._tcp.www.bund.de::TLSA valid from 2014-11-07 11:28:01 to 2014-11-17 11:28:01 for 9 days, 20:30:59.132523 > _25._tcp.mx1.bund.de.::TLSA valid from 2014-11-07 11:28:01 to 2014-11-17 11:28:01 for 9 days, 20:30:59.132268 TLSA-Records: TLSA -> _443._tcp.www.bund.de. 900 IN TLSA 3 0 1 7220022a1cda213da1124ea1ab461dc9f99a0f4a4c4a37de21140960b00e2330 TLSA -> _25._tcp.mx2.bund.de. 900 IN TLSA 3 0 1 59e3cf5fa151553f4576c94c2500d705efddd855b6a59d88d28d0328876a04cb TLSA -> _25._tcp.mx1.bund.de. 900 IN TLSA 3 0 1 cc7c93bf7367fd0e47f4399d9cdf2a53da0dcc4c86dea331ea894acfd91351a7 TLSA -> _25._tcp.mx3.bund.de. 900 IN TLSA 3 0 1 838812e007dc551f3dea329d3f89218f44529647e9f88b225b5c462791ea5054 so the problem that mail get delivered sometimes is cause your postfix sometime resolves it as dane Verified, this should be related by different dns answers, sorry no more time for debug now Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
