On Thu, Jun 05, 2025 at 09:11:01PM +0200, Luca vom Bruch via Postfix-users
wrote:
> to=<ld-879a626...@learndmarc.com>, relay=none, delay=0.64,
> delays=0.1/0.02/0.51/0, dsn=4.7.5, status=deferred (no TLSA records found)
That's odd, when I query the DNS, I see DNSSEC-signed MX records for the
domain with signed A, AAAA and TLSA records for its MX host:
; NOERROR qr rd ra ad
learndmarc.com. IN MX 10 uriports.com.
; NOERROR qr rd ra ad
uriports.com. IN A 87.239.13.42
; NOERROR qr rd ra ad
uriports.com. IN AAAA 2001:678:6a0::3:101
; NOERROR qr rd ra ad
_25._tcp.uriports.com. IN TLSA 3 1 1
11593c9337b95ce900a00e3a030f2d156a6a3d71681ce745aa11dba6dd0c0afc
Your delivery agent for this domain seems to be unable to make
DNSSEC-validated queries, getting a false indication of TLSA
record absence.
> The developer suggested this is a config issue of mine, so maybe, here
> is my config:
Look in master.cf first, for the relevant delivery agent, then
also check your /etc/resolv.conf file, ...
> smtp_dns_support_level = dnssec
> smtp_host_lookup = dns
> tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
FWIW, the cipherlist looks much too specific (counterproductive attempt
to raise security that does nothing of the sort).
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
