On Fri, Dec 12, 2025 at 11:46:24AM -0500, Greg Klanderman via Postfix-users
wrote:
> I had been planning to get a real certificate when I upgrade the OS
> and postfix.. I'll see if that resolves the issue. Probably look into
> DANE/etc as well. I've got a pretty long list of deferred TLC...
DO NOT implement **inbound** DANE (publication of TLSA records for your
own MX hosts) unless and until you have timely and effective monitoring
of the correctness of those TLSA records.
- At least ~hourly, connect to every IPv4 and IPv6 address of each
MX host.
- In "advanced" configurations in which the MX host is configured
with multiple certificates (e.g. RSA and ECDSA), make a separate
connection for each algorithm setting the "supported signature
algorithms" list to just that type.
- RSA) rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:
rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:
rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512
- ECDSA) ecdsa_secp256r1_sha256:
ecdsa_secp384r1_sha384:
ecdsa_secp521r1_sha512
Simpler in most cases to deploy just an RSA cert for now...
- Make sure that notification of any problems found will work
even when some of the TLSA records don't match.
- The danesmtp[1] Bash function I posted to [email protected]
may be useful in this regard.
https://list.sys4.de/hyperkitty/list/[email protected]/message/6723WDBLPYWSXAORTAJR7EPAIOFAP5N4/
- Unmonitored security is oxymoron.
> The other one I guess I can wait a month and see if they have sorted
> themselves out by my next statement..
IIRC the reported issue with "mailgun" is longstanding, I don't know
whether it has been communicated to them effectively or not, nor whether
they've decided to not care or not.
> As I said, they always retry and succeed (with TLS, even) so not too
> worried about that.
It was also my impression that the well-known systems that unreasonably
expect authenticated TLS retry in the clear (or perhaps with
less-stringent TLS settings) and mail is merely delayed, not lost.
--
Viktor. 🇺🇦 Слава Україні!
[1] danesmtp () {
local OPTIND=1 opt
local -a rrs sigs sslopts
local rr i=0 host addr usages=23
local
rsa=rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512
local
ecdsa=ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
while getopts a:u:s: opt; do
case $opt in
a) addr=$OPTARG
case $addr in *:*) addr="[$addr]";; esac;;
u) usages=$OPTARG;;
s) case $OPTARG in
rsa|RSA) sigs=("-sigalgs" "$rsa" -cipher aRSA);;
ecdsa|ECDSA) sigs=("-sigalgs" "$ecdsa" -cipher aECDSA);;
*) printf '%s: Only RSA and ECDSA signatures supported\n'
"$0"
return 1;;
esac;;
*) printf 'usage: danesmtp [-a addr] [-u usages] [-k rsa|ecdsa]
host [ssloption ...]\n'
return 1;;
esac
done
shift $((OPTIND - 1))
host=$1
shift
if [[ -z "$addr" ]]; then
addr="$host"
fi
sslopts=(-starttls smtp -connect "$addr:25" "${sigs[@]}"
-verify 9 -verify_return_error
-dane_ee_no_namechecks -dane_tlsa_domain "$host")
rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
grep -Ei "^[$usages]"' [01] [012] [0-9a-f]+$') )
while (( i < ${#rrs[@]} - 3 )); do
rr=${rrs[@]:$i:4}
i=$((i+4))
sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief
"${sslopts[@]}" "$@"
}
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
