I've set up DNSSEC and the TLSA records for my domains. And I think I
have setup dane for smtp correctly in Postfix. I see "Verified TLS
connection established to" in my logs when connecting to a server with
TLSA records.
Should I also be seeing "Verified TLS connection established from" when
someone using dane connects to my server? I've used several validators
such as https://dane.sys4.de/smtp/mbchandler.net, and they all say that
everything is correct.
Here are my TLS settings:
##### TLS #####
smtp_tls_security_level = dane
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/pki/tls/certs/root_bundle.crt
#smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers=EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd,
kDHr, SEED, IDEA, RC2
smtp_tls_protocols=!SSLv2, !SSLv3, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_CAfile = $smtp_tls_CAfile
smtpd_tls_cert_file=/etc/ssl/certs/ssl.crt
smtpd_tls_key_file=/etc/pki/tls/private/ssl.key
smtpd_tls_auth_only = yes
#smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers=EXPORT, LOW, MD5, SEED, IDEA, RC2
smtpd_tls_protocols=!SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtpd_tls_dh1024_param_file=/etc/postfix/dh2048.pem
smtpd_tls_eecdh_grade = strong
##########
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
