Re: [solved] DNSSEC/DANE: TLSA records looked up for parent domain

[Paul Menzel]

Dear Postfix folks,


Am 17.02.22 um 15:56 schrieb Paul Menzel:

Am 17.02.22 um 10:57 schrieb Paul Menzel:

Using Postfix 3.6.0-rc1, for an email sent to x.y.molgen.mpg.de it looks up the TLSA records for y.molgen.mpg.de instead of x.y.molgen.mpg.de:

     2022-02-12T12:02:21+01:00 tldr postfix/smtp[25656]: warning: TLS policy 
lookup for github.molgen.mpg.de/github.molgen.mpg.de: no TLSA records found
     2022-02-12T12:02:21+01:00 tldr postfix/smtp[25656]: 6D99D61E6478B: 
to=<reply+aaaacsicemwr3r6pflrtadwacnzzlevbnhgs...@reply.github.molgen.mpg.de>, 
relay=none, delay=0.3, delays=0.28/0.02/0/0, dsn=4.7.5, status=deferred (no TLSA 
records found)

I forgot to mention, that this is all handled internally. I haven’t tried from another domain.

Not that we have dane-only TLS policy configured for our domains, as we use DNSSEC and the MTAs all have TLSA records published. (And dane TLS policy unfortunately falls back to encrypt and not secure.)

Indeed for github.molgen.mpg.de no MX record exists, but there shouldn’t as the message goes to reply.github.molgen.mpg.de:

    $ dig mx reply.github.molgen.mpg.de +dnssec +short
    5 mx3.molgen.mpg.de.

    MX 7 5 7200 20220318110038 20220216110038 14960 molgen.mpg.de. kTDvX9PKXC9sk96QViR09wUATN3m96sz6Ha6FrMRBrjxUa1OU1AdhvVj cJbRyetiHy3v+uOPdrng4NLVAow/omnF7Ph0twfz9p9EXUfOBBC/6QJJ Ym5JfxgjDWReHVFw5Y+duQSXtvSOjJR0KwHECtcAClWxO0e98/EtvEmP TQajwIkw5sA8wOmcIMu6BKIjaEZvEVB6NQxT72HrEpNbsKWnbBWfj71k qYag1hsmuVWzjLtN8E2AtPYic13x55t8tV1hEnlHcgFAp2Fya1y+o6hA okDMrg9JUf3/qSjjox3hY78IKAcw8KDz8DEwvjBnr76/6ut9zQ2oIc+P XA7N+w==

     $ dig _25._tcp.mx3.molgen.mpg.de IN TLSA +short
     3 1 2 7AAD43A0FDFF34452CA695A2B510F613A2997077E4C2EDFF2B32DE36 
26552C2832EF72F5DC12B5FE3984BAFE1B87406207EDAD34A4F3E11F 49CD4A23DB83374C

The DANE SMTP Validator verifies, that it should work for reply.github.molgen.mpg.de [1].

Any idea, why github.molgen.mpg.de is looked at?

Brown paper back. We have an entry in the transport table:

    reply.github.molgen.mpg.de smtp:github.molgen.mpg.de


Kind regards,

Paul

[1]: https://dane.sys4.de/smtp/reply.github.molgen.mpg.de