Hi !
OK this is in Work now :-)
BTW: where to get the cert from to generate the 2 1 1 enty for DNS ?
Ciao Gerd
Am 26.06.24 um 12:56 schrieb Viktor Dukhovni via Postfix-users:
On Wed, Jun 26, 2024 at 11:26:59AM +0200, Gerd Hoerst via Postfix-users wrote:
I checked my domain with posttls-finger it brings some errors (I can
only do it on the machine itself)
posttls-finger: warning: DNSSEC validation may be unavailable
posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response
that is not DNSSEC validated
That's the reason you're unable to verify your TLSA records, the
resolver in /etc/resolv.conf is not a DNSSEC-validating resolver,
or you're missing "options trust-ad" in /etc/resolv.conf.
posttls-finger: Untrusted TLS connection established to
vserver.hoerst.net[127.0.1.1]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256....
This is just a consequence. You're DANE setup is presently fine:
$ posttls-finger -c -Lsummary hoerst.net
posttls-finger: Verified TLS connection established to
vserver.hoerst.net[2a03:4000:6:4304:c8a2:c3ff:fe93:ccda]:25: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
$ danesmtp vserver.hoerst.net
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = vserver.hoerst.net
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
DANE TLSA 3 1 1 ...36fb9fa74536c5f9274ad0b1 matched EE certificate at
depth 0
Server Temp Key: X25519, 253 bits
250 CHUNKING
DONE
$ echo $?
0
However, your "2 1 1" record will stop working next time your
certificate is renewed. See:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
