I am trying to configure opportunistic DANE for the SMTP client on an Ubuntu 14.04 box. The problem is I cannot get 'Verified' status for any of the servers I tried connecting to.
For example:
# posttls-finger -t30 -T180 -c -L verbose,summary -l dane-only smtp.kernel-error.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: Failed to establish session to smtp.kernel-error.de via smtp.kernel-error.de: connect to smtp.kernel-error.de[2a01:4f8:120:83f3::2]:25: Network is unreachable posttls-finger: setting up TLS connection to smtp.kernel-error.de[178.63.54.200]:25 posttls-finger: smtp.kernel-error.de[178.63.54.200]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" posttls-finger: smtp.kernel-error.de[178.63.54.200]:25: depth=1 verify=0 subject=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA posttls-finger: smtp.kernel-error.de[178.63.54.200]:25: depth=1 verify=0 subject=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA posttls-finger: smtp.kernel-error.de[178.63.54.200]:25: depth=0 verify=1 subject=/C=DE/ST=Nordrhein-Westfalen/L=Meckenheim/O=Sebastian Van De Meer/CN=smtp.kernel-error.de/emailAddress=postmas...@kernel-error.de posttls-finger: certificate verification failed for smtp.kernel-error.de[178.63.54.200]:25: untrusted issuer /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority posttls-finger: smtp.kernel-error.de[178.63.54.200]:25: subject_CN=smtp.kernel-error.de, issuer_CN=StartCom Class 2 Primary Intermediate Server CA, fingerprint=B3:39:48:9F:4C:44:5B:2F:B5:10:64:24:A0:62:45:F2:51:29:79:7F, pkey_fingerprint=CB:78:8B:E2:84:9C:8D:57:6D:93:CE:BF:E4:C4:43:AD:CB:3D:32:48 posttls-finger: Untrusted TLS connection established to smtp.kernel-error.de[178.63.54.200]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

The host has TLSA properly configured according to: https://dane.sys4.de/smtp/kernel-error.de

# postconf | grep mail_version
mail_version = 2.11.0

My postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
always_add_missing_headers = yes
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
config_directory = /etc/postfix
default_destination_concurrency_limit = 5
delay_warning_time = 4h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}"
mailbox_size_limit = 0
message_size_limit = 104857600
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = REDACTED
myhostname = REDACTED
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks
postscreen_dnsbl_action = ignore
postscreen_dnsbl_sites = zen.spamhaus.org*2, b.barracudacentral.org*2, bl.spameatingmonkey.net*2, bl.spamcop.net, swl.spamhaus.org*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = ignore
readme_directory = no
recipient_delimiter = +
relay_destination_concurrency_limit = 1
relayhost =
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit smtpd_milters = unix:/spamass/spamass.sock unix:/clamav/clamav-milter.ctl unix:/opendkim/opendkim.sock smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = REDACTED
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = REDACTED
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = REDACTED
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-users
virtual_transport = dovecot

I can't find any entries in the logs for DANE validation of remote certificates. Apart from Postfix >=2.11, are there any other prerequisites for DNSSEC/TLSA? What am I missing?

Cheers,
Elod

Reply via email to