On Mon, April 17, 2017 11:30, Viktor Dukhovni wrote: > Thank you for bringing this to my attention.
> > Your host has DANE TLSA records, but lacks a matching certificate. I am mystified as to what I have done wrong in this respect. The certificate in question has this value as its common name: Subject: CN=inet18.mississauga.harte-lyne.ca The DNS entries match as far as I can see: ;; ANSWER SECTION: inet18.mississauga.harte-lyne.ca. 102897 IN A 209.47.176.18 ;; ANSWER SECTION: 18.176.47.209.in-addr.arpa. 140860 IN PTR inet18.mississauga.harte-lyne.ca. And yet as you write, the TLSA verification chain fails: TLSA records found: 3 TLSA: 2 1 2 380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f TLSA: 2 0 2 67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a TLSA: 2 1 2 c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e Connecting to IPv4 address: 209.47.176.18 port 25 recv: 220 inet18.mississauga.harte-lyne.ca ESMTP Postfix send: EHLO cheetara.huque.com recv: 250-inet18.mississauga.harte-lyne.ca recv: 250-PIPELINING recv: 250-SIZE 20480000 recv: 250-ETRN recv: 250-STARTTLS recv: 250-ENHANCEDSTATUSCODES recv: 250-8BITMIME recv: 250-DSN recv: 250 SMTPUTF8 send: STARTTLS recv: 220 2.0.0 Ready to start TLS TLSv1.2 handshake succeeded. Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 Peer Certificate chain: 0 Subject CN: inet18.mississauga.harte-lyne.ca Issuer CN: CA_HLL_ISSUER_2016 1 Subject CN: CA_HLL_ISSUER_2016 Issuer CN: CA_HLL_ROOT_2016 2 Subject CN: CA_HLL_ROOT_2016 Issuer CN: CA_HLL_ROOT_2016 SAN dNSName: inet18.mississauga.harte-lyne.ca SAN dNSName: inet18 SAN dNSName: inet18.hamilton SAN dNSName: inet18.hamilton.harte-lyne.ca SAN dNSName: inet18.mississagua SAN dNSName: inet18.mississagua.harte-lyne.ca Error: peer authentication failed. rc=62 (Hostname mismatch) [2] Authentication failed for all (1) peers. What may be an obvious error to other I cannot see myself. What is wrong with the certificate? Is one no longer permitted to have SubAlternativeNames? > > It looks like you're trying to arrive at working configuration > without thinking about the key questions: > > * What domains do you accept mail for? These are listed in the relay_domains map. > * Where is mail delivered? At our main IMAP service which is not directly accessible to this particular host. This host is a backup MX and should forward mail to the primary MX host when that becomes available. > * What domain should appear in headers and envelopes of > locally generated mail? The FQDN of this host is required as any originating mail is internal mail. This I believe is the default. > * What notices should be sent to the postmaster (often > "none" is the right answer, provided logs, queues, ... > are monitored). > >> However, the source of this problem appears to me to be an invalid >> sender > > No, the source is postmaster notices (possibly unwanted) that > loop back to the local machine, and fail DANE authentication. > -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3