Outgoing DANE not working

[Christian]

Hi there,

I tried the DANE Test on "havedane.net" and figured, that outgoing DANE
is not working.  I get the following:

Email to non-DANE domain delivered.
Email to DANE domain delivered.
Email to domain with invalid DANE delivered.

So apparently the check for the last one is failing (at least).
Checking the logs, the first two are "failing" as well, as DANE is not
tested and all connections are "Untrusted" (cause of self-sig cert).

However TLS is regularly working, I checked with other DANE enabled
domains and I get a "Trusted" connection, but not "Verified".

Testing a lot, I found, that apparently postfix is not checking the
TSLA record, I think by not recognising the domain as DNSSEC enabled?

I am not sure what to do anymore. If anyone has had a similar problem,
any help would be appreciated.


More details on what I did:
I am running in a docker setup (alpine based on debian host) with my own 
unbound DNS resolver.
I started to check if I have problems in my DNSSEC checks. running a
"dig com. SOA +dnssec" from my postfix container, I get

##########
; <<>> DiG 9.14.8 <<>> com. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18198
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.                           IN      SOA

;; ANSWER SECTION:
com.                    900     IN      SOA     a.gtld-servers.net.
nstld.verisign-grs.com. 1586697402 1800 900 604800 86400
com.                    900     IN      RRSIG   SOA 8 1 900
20200419131642 20200412120642 56311 com.
km8/J8z8l6NNsoU0Ag5PfaPAN6sLYxzIYOm1qzdAfu7a/IxlsRnWqPgh
VsfO6+MDxHpUZ9VI9O3tc9EvpJ9p7LKLKoV1BtfIdKIXXeE7viow5LG8
FlzF04w4Qd5hd2oLY1F4bvdDQmB7AAPNRC/3mCySNZTqg/iyXbH5ePOk
rQ+ue9ThApZOGHTbL9jyFnFsDCoUu3OhVWxA2BQv8zVEZQ==

;; Query time: 14 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Sun Apr 12 15:17:00 CEST 2020
;; MSG SIZE  rcvd: 300
##########

Having the ad flag, this seems to be ok for DNSSEC.

Next I forced postfix to see "havedane.net" as a "dane-only" domain via
tls policies.
That lead to the following errors:

##########
Apr 11 19:14:39 server docker/postfix/smtp[904]: warning: TLS policy
lookup for do.havedane.net/do.havedane.net: non DNSSEC destination
Apr 11 19:14:39 server docker/postfix/smtp[904]: warning: TLS policy
lookup for do.havedane.net/do.havedane.net: non DNSSEC destination
##########

Hence confirming my theory, that DNSSEC is not properly checked.
Next thing I did is monitoring the DNS queries in unbound and found,
that onyl MX, A and AAAA is requested:

##########
Apr 12 14:00:56 server docker/unbound[567]: [1586692856] unbound[1:0]
info: 192.168.4.5 do.havedane.net. MX IN#015
Apr 12 14:00:56 server docker/unbound[567]: [1586692856] unbound[1:0]
info: 192.168.4.5 do.havedane.net. A IN#015
Apr 12 14:00:56 server docker/unbound[567]: [1586692856] unbound[1:0]
info: 192.168.4.5 do.havedane.net. AAAA IN#015
##########

A check of a TLSA record would look like this in unbound (triggered
with dig), but this is missing with the postfix triggered queries
(hence, how should postfix know certificate information)

##########
Apr 12 14:01:25 server docker/unbound[567]: [1586692885] unbound[1:0]
info: 192.168.4.5 _25._tcp.do.havedane.net. TLSA IN#015
##########

I read in the documentation, that apparently postfix checks with
certain FLAGS (RES_USE_DNSSEC and RES_USE_EDNS0) in the MX request for
DNSSEC validity, however I do not know how to debug if that is
happening. Hence I am stuck now.
Anyone knows what to do?

postconf -n (domain replaced by XXX)

##########
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
compatibility_level = 2
debug_peer_list = havedane.net,127.0.0.1,127.0.0.11,192.168.4.254
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name}
{auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetw
orks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,p
ermit_sasl_authenticated,reject
myhostname = server.XXX.de
mynetworks = 127.0.0.0/8 192.168.4.0/24 [::1]/128
[fd00::192:168:4:0]/112
non_smtpd_milters = inet:rspamd:11332
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = dnsbl.sorbs.net*1, bl.spamcop.net*1,
ix.dnsbl.manitu.net*2, zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_policy_maps = hash:/etc/postfix/maps/tls-policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/etc/postfix/maps/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_milters = inet:rspamd:11332
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/maps/recipient-access
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination
smtpd_tls_cert_file = /etc/ssl/private/server_XXX_de_chained.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/ssl/private/dh-4096.pem
smtpd_tls_eccert_file = /etc/ssl/private/ecc-server_XXX_de_chained.pem
smtpd_tls_eckey_file = /etc/ssl/private/ecc-XXX_de.key
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = kEDH
smtpd_tls_key_file = /etc/ssl/private/XXX_de.key
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
syslog_name =
docker/${multi_instance_name?{$multi_instance_name}:{postfix}}
tls_high_cipherlist =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELL
IA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:
!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION,NO_RENEGOTIATION
virtual_alias_maps = hash:/etc/postfix/maps/aliases
virtual_mailbox_domains = XXX.de
virtual_transport = lmtp:inet:dovecot:24
##########

postconf -Mf

##########
smtp       inet  n       -       n       -       1       postscreen
    -o smtpd_sasl_auth_enable=no
smtpd      pass  -       -       n       -       -       smtpd
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=inet:dovecot:10001
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o smtpd_sender_login_maps=hash:/etc/postfix/maps/sender-login
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o milter_macro_daemon_name=ORIGINATING
    -o cleanup_service_name=submission-header-cleanup
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-
rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
submission-header-cleanup unix n - n     -       0       cleanup
    -o header_checks=regexp:/etc/postfix/maps/submission_header_cleanup
#########