First of all, thanks for adding the TLSA RR for _25._tcp.buxtehude.debian.org.
It is a significant step forward, even given the following. Sadly, using postfix 2.11-20130825-1 for outgoing smtp with: smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtp_dns_support_level = dnssec smtp_tls_security_level = dane If I test with: gnutls-cli --dane --local-dns --no-ca-verification --starttls --port 25 buxtehude.debian.org it connects, negotiates the tls and verifies the tlsa as expected. Without dnssec enabled in postfix's config (which consequently disables dane), the tls handshake still fails, but postfix continues on w/o tls. (It is /oportunistic/ tls, in that case.) This seems to be an openssl vs exim issue. I'm sending this here to confirm whether the @deb MXs work.... -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 1024D/ED7DAEA6 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/m3hadq7v5s....@carbon.jhcloos.org
