On Sun, Feb 16, 2020 at 10:26:45AM -0800, Earl Killian wrote: > I am unable to receive mail from my Comcast friends at my Postfix server > (postfix-3.2.0-2.6.1 on openSUSE 42.3 with openssl-1.0.2j). As far as I > know only Comcast has a problem sending me mail. I have tried asking > Comcast for help, but they are useless. I am hoping someone on this list > can suggest debugging advice to figure out what the problem might be.
As luck would have it, you've come to the right place. Your domain is DNSSEC-signed, and your MX host has DANE TLSA records: $ hsdig -t a maple.killian.com maple.killian.com. IN A 199.165.155.8 ; NoError AD=1 $ hsdig -t tlsa _25._tcp.maple.killian.com _25._tcp.maple.killian.com. IN TLSA 3 0 1 4ca6fa3e1b53c809442cf7db22227e3f4a6bf51074305dbcf0a4593c30d1b723 ; NoError AD=1 _25._tcp.maple.killian.com. IN TLSA 3 0 1 7a668f4b7f418a618a9e1043b644c282d55e5ead0ff20acaa4db5357a9764a2f ; NoError AD=1 > Comcast claims a TLS certificate verify failure. I have checked the TLS > connection process with Comcast (and not only they) support and enforce DANE. > Diagnostic-Code: smtp; TLS negotiation: certificate verify failed Which is expected, since your certificate chain DOES NOT match your DANE TLSA record: ; 1. Get rid of all the "sha1" DS records, they're useless, the "sha2" ; hashes are universally supported and quite sufficient. ; 2. You probably don't need DS RRs for four different KSKs, at most two ; at a time is enough to support a reasonable key rollover process. ; killian.com. IN DS 1396 14 1 <...> ; AD=1 NoError killian.com. IN DS 1396 14 2 <...> ; AD=1 NoError killian.com. IN DS 10651 14 1 <...> ; AD=1 NoError killian.com. IN DS 10651 14 2 <...> ; AD=1 NoError killian.com. IN DS 29048 14 1 <...> ; AD=1 NoError killian.com. IN DS 29048 14 2 <...> ; AD=1 NoError killian.com. IN DS 33864 14 1 <...> ; AD=1 NoError killian.com. IN DS 33864 14 2 <...> ; AD=1 NoError ; And of course four KSKs is too many, at most two will do. ; killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError ; And ditto for the ZSKs ; killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError ; Your MX host promises IPv6: ; killian.com. IN MX 10 maple.killian.com. ; AD=1 NoError maple.killian.com. IN A 199.165.155.8 ; AD=1 NoError maple.killian.com. IN AAAA 2607:f358:10:27::8 ; AD=1 NoError ; But refuses IPv6 connections ; _25._tcp.maple.killian.com. IN TLSA 3 0 1 4ca6fa3e1b53c809442cf7db22227e3f4a6bf51074305dbcf0a4593c30d1b723 ; AD=1 NoError _25._tcp.maple.killian.com. IN TLSA 3 0 1 7a668f4b7f418a618a9e1043b644c282d55e5ead0ff20acaa4db5357a9764a2f ; AD=1 NoError ; Most importantly, its just replaced Let's Encrypt certificate ; does not match its TLSA record ; ; Suggested more robust TLSA record management approaches can be found via: https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources maple.killian.com[199.165.155.8]: tlsa-mismatch maple.killian.com[2607:f358:10:27::8]: connection refused TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P384 name = killian.com name = maple.killian.com name = pine.killian.com name = puffleservices.com name = smtp.killian.com name = smtp.puffleservices.com name = smtp1.killian.com name = smtp1.puffleservices.com name = smtp2.killian.com name = smtp2.puffleservices.com depth = 0 Issuer CommonName = Let's Encrypt Authority X3 Issuer Organization = Let's Encrypt notBefore = 2020-02-12T23:29:02Z notAfter = 2020-05-12T23:29:02Z Subject CommonName = smtp.killian.com cert sha256 [nomatch] <- 3 0 1 ca2be3cf3e0f13fec3860bc6a54a21f3d51deea640fe8695c83c9fd817de02a6 pkey sha256 [nomatch] <- 3 1 1 b7f1cd36893e5a884a3c4c70853e87089ea8b65e07c9c7996181d1b3b48ceb39 depth = 1 Issuer CommonName = DST Root CA X3 Issuer Organization = Digital Signature Trust Co. notBefore = 2016-03-17T16:40:46Z notAfter = 2021-03-17T16:40:46Z Subject CommonName = Let's Encrypt Authority X3 Subject Organization = Let's Encrypt cert sha256 [nomatch] <- 2 0 1 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d pkey sha256 [nomatch] <- 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 * Potential matching TLSA records: 3 1 1 b7f1cd36893e5a884a3c4c70853e87089ea8b65e07c9c7996181d1b3b48ceb39 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 -- Viktor.