On Sun, Feb 16, 2020 at 10:26:45AM -0800, Earl Killian wrote:

> I am unable to receive mail from my Comcast friends at my Postfix server
> (postfix-3.2.0-2.6.1 on openSUSE 42.3 with openssl-1.0.2j). As far as I
> know only Comcast has a problem sending me mail. I have tried asking
> Comcast for help, but they are useless. I am hoping someone on this list
> can suggest debugging advice to figure out what the problem might be.

As luck would have it, you've come to the right place.  Your domain is
DNSSEC-signed, and your MX host has DANE TLSA records:

    $ hsdig -t a maple.killian.com
    maple.killian.com. IN A 199.165.155.8 ; NoError AD=1

    $ hsdig -t tlsa _25._tcp.maple.killian.com
    _25._tcp.maple.killian.com. IN TLSA 3 0 1 
4ca6fa3e1b53c809442cf7db22227e3f4a6bf51074305dbcf0a4593c30d1b723 ; NoError AD=1
    _25._tcp.maple.killian.com. IN TLSA 3 0 1 
7a668f4b7f418a618a9e1043b644c282d55e5ead0ff20acaa4db5357a9764a2f ; NoError AD=1

> Comcast claims a TLS certificate verify failure. I have checked the TLS
> connection process with

Comcast (and not only they) support and enforce DANE.

> Diagnostic-Code: smtp; TLS negotiation: certificate verify failed

Which is expected, since your certificate chain DOES NOT match your
DANE TLSA record:

    ; 1. Get rid of all the "sha1" DS records, they're useless, the "sha2"
    ;    hashes are universally supported and quite sufficient.
    ; 2. You probably don't need DS RRs for four different KSKs, at most two
    ;    at a time is enough to support a reasonable key rollover process.
    ;
    killian.com. IN DS 1396 14 1 <...> ; AD=1 NoError
    killian.com. IN DS 1396 14 2 <...> ; AD=1 NoError
    killian.com. IN DS 10651 14 1 <...> ; AD=1 NoError
    killian.com. IN DS 10651 14 2 <...> ; AD=1 NoError
    killian.com. IN DS 29048 14 1 <...> ; AD=1 NoError
    killian.com. IN DS 29048 14 2 <...> ; AD=1 NoError
    killian.com. IN DS 33864 14 1 <...> ; AD=1 NoError
    killian.com. IN DS 33864 14 2 <...> ; AD=1 NoError

    ; And of course four KSKs is too many, at most two will do.
    ;
    killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError
    killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError
    killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError
    killian.com. IN DNSKEY 257 3 14 <...> ; AD=1 NoError

    ; And ditto for the ZSKs
    ;
    killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError
    killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError
    killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError
    killian.com. IN DNSKEY 256 3 14 <...> ; AD=1 NoError

    ; Your MX host promises IPv6:
    ;
    killian.com. IN MX 10 maple.killian.com. ; AD=1 NoError
    maple.killian.com. IN A 199.165.155.8 ; AD=1 NoError
    maple.killian.com. IN AAAA 2607:f358:10:27::8 ; AD=1 NoError

    ; But refuses IPv6 connections
    ;
    _25._tcp.maple.killian.com. IN TLSA 3 0 1 
4ca6fa3e1b53c809442cf7db22227e3f4a6bf51074305dbcf0a4593c30d1b723 ; AD=1 NoError
    _25._tcp.maple.killian.com. IN TLSA 3 0 1 
7a668f4b7f418a618a9e1043b644c282d55e5ead0ff20acaa4db5357a9764a2f ; AD=1 NoError

      ; Most importantly, its just replaced Let's Encrypt certificate
      ; does not match its TLSA record
      ;
      ; Suggested more robust TLSA record management approaches can be found 
via:

        
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
        https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
        
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
        https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
        https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

      maple.killian.com[199.165.155.8]: tlsa-mismatch
      maple.killian.com[2607:f358:10:27::8]: connection refused
        TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384,P384
        name = killian.com
        name = maple.killian.com
        name = pine.killian.com
        name = puffleservices.com
        name = smtp.killian.com
        name = smtp.puffleservices.com
        name = smtp1.killian.com
        name = smtp1.puffleservices.com
        name = smtp2.killian.com
        name = smtp2.puffleservices.com
        depth = 0
          Issuer CommonName = Let's Encrypt Authority X3
          Issuer Organization = Let's Encrypt
          notBefore = 2020-02-12T23:29:02Z
          notAfter = 2020-05-12T23:29:02Z
          Subject CommonName = smtp.killian.com
          cert sha256 [nomatch] <- 3 0 1 
ca2be3cf3e0f13fec3860bc6a54a21f3d51deea640fe8695c83c9fd817de02a6
          pkey sha256 [nomatch] <- 3 1 1 
b7f1cd36893e5a884a3c4c70853e87089ea8b65e07c9c7996181d1b3b48ceb39
        depth = 1
          Issuer CommonName = DST Root CA X3
          Issuer Organization = Digital Signature Trust Co.
          notBefore = 2016-03-17T16:40:46Z
          notAfter = 2021-03-17T16:40:46Z
          Subject CommonName = Let's Encrypt Authority X3
          Subject Organization = Let's Encrypt
          cert sha256 [nomatch] <- 2 0 1 
25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
          pkey sha256 [nomatch] <- 2 1 1 
60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

       * Potential matching TLSA records:

        3 1 1 b7f1cd36893e5a884a3c4c70853e87089ea8b65e07c9c7996181d1b3b48ceb39
        2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

-- 
    Viktor.

Reply via email to