Am 02.08.2014 um 20:14 schrieb Peter Palfrader: > [Please CC me on replies.] > > Hi, > > running 2.11.1 on Debian wheezy, I noticed the following in my mail.log today: > > weasel@eugeni:~$ grep mx02.posteo.de /var/log/mail.log | grep 'connection est' > } Aug 1 09:59:59 s_local@eugeni postfix/smtp[22481]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:00:25 s_local@eugeni postfix/smtp[21471]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:03:15 s_local@eugeni postfix/smtp[22492]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:05:15 s_local@eugeni postfix/smtp[21477]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:05:36 s_local@eugeni postfix/smtp[22653]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:05:37 s_local@eugeni postfix/smtp[23724]: Verified TLS connection > established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:45:40 s_local@eugeni postfix/smtp[30489]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:45:40 s_local@eugeni postfix/smtp[30402]: Verified TLS connection > established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 10:47:19 s_local@eugeni postfix/smtp[30484]: Untrusted TLS > connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with > cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 11:38:10 s_local@eugeni postfix/smtp[7115]: Untrusted TLS connection > established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 11:38:14 s_local@eugeni postfix/smtp[6424]: Verified TLS connection > established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 11:38:16 s_local@eugeni postfix/smtp[6432]: Verified TLS connection > established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > } Aug 1 11:39:17 s_local@eugeni postfix/smtp[6439]: Untrusted TLS connection > established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > ... > > My config includes > } smtp_dns_support_level = dnssec > } smtp_tls_security_level = dane > and my only nameserver in /etc/resolv.conf is a security-aware unbound > instance > on 127.0.0.1.
please verify setting smtp_host_lookup = dns what does dig _25._tcp.smtp.posteo.de +dnssec +m ? what does posttls-finger -t30 -T180 -c -L verbose,summary posteo.de here it is posttls-finger: initializing the client-side TLS engine posttls-finger: using DANE RR: _25._tcp.mx02.posteo.de IN TLSA 3 1 1 1E:E4:C4:31:8C:1F:A8:D7:5A:C0:DF:56:75:5B:30:A2:F8:8D:B7:BF:AC:12:9A:2C:50:F3:16:A0:C3:B1:E6:40 posttls-finger: setting up TLS connection to mx02.posteo.de[89.146.194.165]:25 posttls-finger: mx02.posteo.de[89.146.194.165]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" posttls-finger: mx02.posteo.de[89.146.194.165]:25: depth=1 verify=0 subject=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA posttls-finger: mx02.posteo.de[89.146.194.165]:25: depth=1 verify=0 subject=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA posttls-finger: mx02.posteo.de[89.146.194.165]:25: depth=0 verify=1 subject=/C=DE/ST=Berlin/L=Berlin/postalCode=10965/street=Methfesselstra\xDFe 38/O=Posteo e.K./CN=www.posteo.de/[email protected]/serialNumber=HRA 47592/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Charlottenburg posttls-finger: mx02.posteo.de[89.146.194.165]:25: depth=0 matched end entity public-key sha256 digest=1E:E4:C4:31:8C:1F:A8:D7:5A:C0:DF:56:75:5B:30:A2:F8:8D:B7:BF:AC:12:9A:2C:50:F3:16:A0:C3:B1:E6:40 posttls-finger: mx02.posteo.de[89.146.194.165]:25: subject_CN=www.posteo.de, issuer_CN=StartCom Extended Validation Server CA, fingerprint=3A:89:D8:AD:DC:A7:23:5C:8F:44:E9:DD:2E:85:6A:31:D2:D3:C9:70, pkey_fingerprint=6B:63:F4:BD:E8:1F:0E:BA:52:85:51:3D:EF:DF:51:46:E1:C2:3C:4D posttls-finger: Verified TLS connection established to mx02.posteo.de[89.146.194.165]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits sure that unbound on 127.0.0.1 is the only one in resolv.conf ? is unbound perfect configured dnssec? does unbound ask other servers as forwarders etc ? sorry too short in time for more debug > > I notice that currently posteo's DNS is half-broken, i.e., one of its two > nameservers returns SERVFAIL for every query. The other one appears to work > just fine. > > Any idea why postfix fails to establish a verified TLS connection? > > If having one nameserver return SERVFAIL can induce this behavior, then this > seems like a potential downgrading vector that could be abused. > > Cheers, > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
