On 3 Sep 2020, at 0:43, Viktor Dukhovni wrote:
On Wed, Sep 02, 2020 at 11:11:32PM -0400, Bill Cole wrote:
[...]
Yes, I see the same: [root@be03 ~]# dig @127.0.0.1 _25._tcp.mail.deaecom.gov. tlsaThat's NOT the same, you're not asking for "+dnssec", which Postfix doesdo when resolving DANE TLSA records.
[root@be03 ~]# dig +dnssec _25._tcp.mail.deaecom.gov. tlsa ; <<>> DiG 9.16.6 <<>> +dnssec _25._tcp.mail.deaecom.gov. tlsa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46298 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 12, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;_25._tcp.mail.deaecom.gov. IN TLSA ;; AUTHORITY SECTION:deaecom.gov. 518 IN SOA dnsgm-dc2.admin.oss.doj.gov. root.usdoj.gov. 2000118899 10800 1080 2592000 600 deaecom.gov. 518 IN RRSIG SOA 8 2 600 20200912211637 20200902201637 20724 deaecom.gov. F8r14NTQ7L3MRkYewzs1TUjBEvqXRy9NM4H99DsJFNwj+PVeJiPNmhjI yvtdXw2kjzexpkX9X4TPGsufkM6lDXOOlOuxagujX01kb/LnTavFQ6p6 y9hnDj7K6ygFSuNlNDXk8C+Zr/aGQh3HO+1rOsx2IM8yV6c13SFStP6s nRM= deaecom.gov. 518 IN RRSIG SOA 8 2 600 20200912211637 20200902201637 35760 deaecom.gov. ZC6O+yYCy3TgiuJQorMAD1MRq4pIzz2DWrU8vunG1HfWmph8EDJ64W3L njacnYNCYF0MzTUbgvG+cVdGjE0eoMnp7sBke+ZQieO5vpgwK+FTcbDm 4pL87jiW7uUyHI1gcIGxQVCBHI1iO+xhZkEAz0S0auaWHy1FKUFXi8Rw Q9Q= D5DIDRUE45LH5RM0HLV12VVSPSO8F8AI.deaecom.gov. 518 IN NSEC3 1 0 10 F6ED3BBC0C659326C5 EHMJ33K8REDE558E2VD9TSTFLG1HO30U A TXT RRSIG D5DIDRUE45LH5RM0HLV12VVSPSO8F8AI.deaecom.gov. 518 IN RRSIG NSEC3 8 3 600 20200910024713 20200831014713 20724 deaecom.gov. hDRSxC4FdaLm2xzMIZoehQamJ25NND+HaSNzV6q+hyET+YhBICB3OZSh xiwKBTaJeBE+R8XK6YJEw50BQXAIvq6I3cTJzO+GKDud7tCmXrTPiiew AYNwrz4uD+SSaseeA9X1c1VPyogdxEigiN9iN4rkg8YBqh5avOSRq3qJ U60= D5DIDRUE45LH5RM0HLV12VVSPSO8F8AI.deaecom.gov. 518 IN RRSIG NSEC3 8 3 600 20200910024713 20200831014713 35760 deaecom.gov. X6ZaSuo5BKaxkZ23q0XCiykE6UZacWPdI1Sk9aU9zvzXmriu4tGw9oZn sgrsRgFPa/rjORhUns2OgV88v2Yo9VwpF/qJYPyVa31Mt+DcBhFElIfV rdyVKZT4One6oRFDVJqCce950xw4cIuGBi7Vcw3+n3eADkGc3onjq/MC 9KY= J6B04P8U736RJ4J4MS9LJT6SE10K99J4.deaecom.gov. 518 IN NSEC3 1 0 10 F6ED3BBC0C659326C5 Q4UAST9AOGHUCL7KL6FKFSLJ2DPTU9HP A RRSIG J6B04P8U736RJ4J4MS9LJT6SE10K99J4.deaecom.gov. 518 IN RRSIG NSEC3 8 3 600 20200910024713 20200831014713 20724 deaecom.gov. MYBtptocGyGZ2+nLtvvQP27cUhmIGDyNaMrHhL0qLjZ+ool5KvM2zLL6 CTxnllRjSh4Cv2DrBr3clH2EeOhY8RaxEZcWFgiOB+3SIzhVOrMq6TeP Oq+xETfd8PgmVsAYz+jzOZ1rhDtSK2s6EM1fMKwOniEIJt+/9rlWTFFF gbM= J6B04P8U736RJ4J4MS9LJT6SE10K99J4.deaecom.gov. 518 IN RRSIG NSEC3 8 3 600 20200910024713 20200831014713 35760 deaecom.gov. El52YZFjY1NPsMzS6BchrBfk9n+yilbS6ME92fElzTYWOfuz0276bu2L G9UVJTDAvFZW+h1n3+vCo2iVOM32nNCPcbzX+sQMAKXQnJ6T9UpKeoHx dt6VEPV+S4yXOTrU/pBthA5eJmo8DV850ZmhRMc6/PSyHlUxbXXByzkw Hbo= 9V32NT7182EOP2KHPTJMS4COSC0L466I.deaecom.gov. 518 IN NSEC3 1 0 10 F6ED3BBC0C659326C5 D5DIDRUE45LH5RM0HLV12VVSPSO8F8AI 9V32NT7182EOP2KHPTJMS4COSC0L466I.deaecom.gov. 518 IN RRSIG NSEC3 8 3 600 20200910024713 20200831014713 20724 deaecom.gov. GtSHIDoQoCfTs+0JFudr9WNQYnxtZlcEEZIyplNgfnlFgtqRAry4W2GG UZYE+8cUdcC92oDhy23uOOLctHCvOOeWpe2GGQdi0Q8s+KqjVv4L42GB mD1f9mssKFCimxrcQktlZb/9jyJ8Gw6r4J/YOrPP8B5pzFcQdYs1/3EQ iv8= 9V32NT7182EOP2KHPTJMS4COSC0L466I.deaecom.gov. 518 IN RRSIG NSEC3 8 3 600 20200910024713 20200831014713 35760 deaecom.gov. fC54/kHzZJZICujpsK2KU0Mv05vvFSRHVw8Pv4r10prpbcCCmByNTec5 WKD/lu/bqAB4DX3Fw3F+3ghLXQv36McfoCZVDyCl7ZTu8DMVo9/JK3/2 3bIi/6+5j0PIynnFm7Ulnon4A2Poad1KlySSLRjvs8HsvtO5rzwOYcOj UGs=
;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 03 01:38:29 UTC 2020 ;; MSG SIZE rcvd: 1749
; <<>> DiG 9.16.6 <<>> @127.0.0.1 _25._tcp.mail.deaecom.gov. tlsa ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38074;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1Your resolver claims to have validated the answer (the AD bit is set), what do you get with "posttls-finger"?
[root@be03 ~]# posttls-finger mail.deaecom.gov posttls-finger: Connected to mail.deaecom.gov[149.101.26.25]:25 posttls-finger: < 220 **************** posttls-finger: > EHLO be03-outbound.cipherspace.net posttls-finger: < 250-griffon.deaecom.gov posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 10485760 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLSposttls-finger: mail.deaecom.gov[149.101.26.25]:25: Matched subjectAltName: mail.deaecom.gov posttls-finger: mail.deaecom.gov[149.101.26.25]:25 CommonName mail.deaecom.gov posttls-finger: certificate verification failed for mail.deaecom.gov[149.101.26.25]:25: untrusted issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA posttls-finger: mail.deaecom.gov[149.101.26.25]:25: subject_CN=mail.deaecom.gov, issuer_CN=DigiCert SHA2 Extended Validation Server CA, fingerprint=77:47:67:27:88:B2:89:52:E3:02:79:2F:BC:8D:A9:AC:CE:6C:AC:F7, pkey_fingerprint=B8:7E:51:C7:E4:5D:52:4F:9C:22:57:45:B6:3C:BE:A0:2E:12:52:F4 posttls-finger: Untrusted TLS connection established to mail.deaecom.gov[149.101.26.25]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO be03-outbound.cipherspace.net posttls-finger: < 250-griffon.deaecom.gov posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 10485760 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye
;; MSG SIZE rcvd: 125For lack of the DO bit, the respose is considerably smaller than it would otherwise be. What resolver does Postfix use?
Local Unbound instance.
Is the SMTP client chrooted?
No: [root@be03 ~]# grep 'smtp$' /usr/local/etc/postfix/master.cf smtp unix - - n - - smtp relay unix - - n - - smtp
What's in /etc/resolv.conf?
[root@be03 ~]# cat /etc/resolv.conf nameserver 127.0.0.1 nameserver REDACT1 nameserver REDACT2The redacted IPs (public addresses but not for pubic use) are our general-purpose caching recursive resolvers, both BIND 9.16.6. There's no indication of the local Unbound failing to respond, so they never should have been hit.
I do not understand why Postfix didn't see that as a reason to give upon DANE.Postfix uses the traditional BSD stub resolver API, (i.e. libc on many modern systems, formerly libresolv). Whatever it sees is what Postfix sees.There's a local instance of Unbound operating as a caching recursiveresolver, so I don't think the UDP edge cases apply: it should be doingthe right thing in regards to using TCP as needed.Well unbound might well have been failing to resolve this domain for some reason, you can also test with "unbound-host"
Doesn't seem to be an issue: [root@be03 ~]# unbound-host -t tlsa -D -v _25._tcp.mail.deaecom.gov Host _25._tcp.mail.deaecom.gov not found: 3(NXDOMAIN). (secure)
and also try dnsviz:
https://dnsviz.net/d/_25._tcp.mail.deaecom.gov/X1BycA/dnssec/
which shows a working domain, be it with a few too many signatures
in the graph. All the usual public resolvers are able to validate
it:
https://dnsviz.net/d/_25._tcp.mail.deaecom.gov/e/218995/dnssec/
Is your unbound forwarding to any of them,
No. This is an outbound relay on the same machine as another MTA that's doing MX and spam-filtering service, so the local resolver is fully recursive and autonomous.
configured to use DoH or DoT perhaps?
No.
Bottom line, if name resolution is failing, Postfix is usually just the messenger, the bad news is coming from upstream.
Oh, I get that. Really.Since I can't see any other incidents like this even with seemingly similar DNS circumstances, I've reset to "smtp_tls_security_level = dane" and chalked up this incident to "gremlins" pending a recurrence. A test message to a bogus address in the target domain with the PIX workaround "disable_esmtp" shut off did establish a TLS session, so whatever actually caused it seems to have been transient.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
