> On Oct 26, 2017, at 5:08 PM, Gao <g...@pztop.com> wrote: > > I am trying to setup dane on my mail server.
Thanks for been an early adopter. Your enthusiasm is appreciated. Don't forget to *monitor* your deployment, by periodically (at least daily) checking that your DNSSEC is working and your SMTP server certificate chain matches the published TLSA records. Make sure you understand how to do certificate rotation correctly: http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 By combining "3 1 1" + "2 1 1" TLSA records, the rollover process can be substantially simplified: https://www.ietf.org/mail-archive/web/uta/current/msg01498.html > But I never seen a "Verified TLS connection..." in the log. > I always got: > Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection established > to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2 with cipher > ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) There are two prerequisites for DANE verification to happen: 1. Your DNS resolver in /etc/resolv.conf needs to be a *validating* DNS resolver and for any meaningful security must be either on the loopback interface or reachable via a securely keyed IPsec tunnel or similar. AND 2. The destination domain and its MX host must be in DNSSEC signed zones 3. The MX host must have TLSA records published. Conditions 2 and 3 are false for google's MX hosts. > My system is Postfix 3.2.3 on Centos 7.4 > # postconf -d | grep mail_version > mail_version = 3.2.3 > > main.cf: > smtp_dns_support_level = dnssec > smtp_tls_security_level = dane > smtp_tls_loglevel = 1 Condition 1 may be false for your system. -- Viktor.
