Hi Damian, Am Montag, den 13.04.2020, 11:22 +0200 schrieb Damian: > The validator [1] says TLSA is ok, so is this even be a DNS issue? If I > have to guess, Postfix encounters the following situation: > > > When TLSA records are found, but are all unusable the effective security > level is "encrypt" > > The documentation does not state that self-signed certificates are > invalid with the "encrypt" security level, they are with "verify". > > [1] https://dane.sys4.de/smtp/wrong.havedane.net >
I am not sure what you are saying. The havedane.net test consists of 3 different servers do., dont. and wrong.havedane.net, all with self-sig certificates. The difference is the TLSA records: do. has a correct one dont. is having none wrong. is having a wrong one (your link shows that) Hence the result of the connections should be: do. = Verified (DANE did the verification) dont. = Untrusted (Just regular TLS w/o DANE) with signed cert it would be Trusted wrong. = No delivery at all (DANE verification fails) The "wrong." one is main security benefit of DANE, as it can spot tampered certificates. The "do." is additional security/convenience, as you can use self-sig certs and do not need to rely on CAs. "dont." of course does not matter. However the tcpdumps show, that my Postfix is not getting any TLSA information via DNS, so in my server all three get delivered and the connection is stated as untrusted, like there is no DANE involved and it just behaves like a regular TLS setup.
