On Thu, Sep 03, 2020 at 06:09:23PM -0400, Bill Cole wrote:
> > Your resolver claims to have validated the answer (the AD bit is set),
> > what do you get with "posttls-finger"?
>
> [root@be03 ~]# posttls-finger mail.deaecom.gov
> posttls-finger: Connected to mail.deaecom.gov[149.101.26.25]:25
> posttls-finger: < 220 ****************
Already here we see that "posttls-finger" did not report trouble looking
up the TLSA RRs, as it would with e.g. "assugo.be" (one of the 300+
domains affected by broken denial of existence via axc.nl nameservers):
$ posttls-finger assugo.be
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.assugo.be type=TLSA: Host not
found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.assugo.be type=TLSA: Host not
found, try again
posttls-finger: Failed to establish session to assugo.be via assugo.be:
TLSA lookup error for assugo.be:25
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.assugo.be type=TLSA: Host not
found, try again
posttls-finger: Failed to establish session to assugo.be via assugo.be:
TLSA lookup error for assugo.be:25
> > Bottom line, if name resolution is failing, Postfix is usually just
> > the messenger, the bad news is coming from upstream.
>
> Oh, I get that. Really.
>
> Since I can't see any other incidents like this even with seemingly
> similar DNS circumstances, I've reset to "smtp_tls_security_level =
> dane" and chalked up this incident to "gremlins" pending a recurrence. A
> test message to a bogus address in the target domain with the PIX
> workaround "disable_esmtp" shut off did establish a TLS session, so
> whatever actually caused it seems to have been transient.
Indeed "transient" seems to be the verdict, and perhaps explains why
others (myself included) could not reproduce the reported symptoms.
--
Viktor.
