Hello,
I am trying to debug/enable/test DANE on one of my domains. Actually the domain runs an experimental SMTP receiver running for domain et.lindenberg.one with six MXs, some of them configured to cause certificate validations to fail. To the best of my knowledge I added syntactically correct TLSAs indirectly via CNAMEs except for mx01.et.lindenberg.one, and the validator at <https://dane.sys4.de/smtp/et.lindenberg.one> https://dane.sys4.de/smtp/et.lindenberg.one is happy with DNSSEC and TLSA (SMTP obviously depends on availability and status of my experimental receiver). When I send a mail from my postfix however, postfix reports “no TLSA records found“. Or full log entries: warning: TLS policy lookup for et.lindenberg.one/et.lindenberg.one: no TLSA records found 49B4E0EAC: to=<t...@et.lindenberg.one>, relay=none, delay=49105, delays=49104/0.04/0.51/0, dsn=4.7.5, status=deferred (no TLSA records found) Following <https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md#configuring-postfix> https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md#configuring-postfix I can confirm smtp_dns_support_level = dnssec is set, and smtp_host_lookup is not set (default). I also confirmed DNSSEC is working by sending a test mail to some other DANE site successfully (with a TLS policy dane-only). The only difference I noticed is that the other site uses a TLSA 2 0 1 … whereas I use 2 1 1 …. Is postfix more picky than other tools? A configuration issue? Or anything else I should watch out for? Thanks, Joachim
