Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 11:53:03PM -0400, Rich Felker wrote: > > Your local nameserver has already done the TCP failover and paid the > > cost of obtaining the full RRset, your stub resolver is just failing to > > give it the opportunity to return the full data to you. The performance > > cost is

Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 05:41:38PM -0400, Viktor Dukhovni wrote: > > Fallback to tcp on TC would also yield very bad performance for users > > who are not running a local nameserver whenever looking up names with > > ridiculous numbers of A/ records, where the truncated response > > certainly s

Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 03:35:05PM -0400, Rich Felker wrote: > > It is also not uncommon for applications that use SRV records to > > encounter large RRsets (e.g. Windows Domain controller lists for > > large Active-Directory domains in MIT Kerberos or Heimdal). > > The justification here has alw

Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 03:04:12PM -0400, Viktor Dukhovni wrote: > On Mon, Apr 13, 2020 at 02:35:22PM -0400, Rich Felker wrote: > > > > The problem can be partly resolved by setting the "AD" bit in the > > > outgoing DNS query header sent by the musl-libc stub resolver. Then > > > the local itera

Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 02:35:22PM -0400, Rich Felker wrote: > > The problem can be partly resolved by setting the "AD" bit in the > > outgoing DNS query header sent by the musl-libc stub resolver. Then > > the local iterative resolver will return the AD bit in its response. > > > > However, lac

Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 02:15:14PM -0400, Viktor Dukhovni wrote: > > On Apr 13, 2020, at 7:18 AM, Christian wrote: > > > > FYI: I put your findings forward to the musl-libc mailing list and > > asked what they now think what should be done. > > The problem can be partly resolved by setting the "

Re: DMARC reports - Open Source solution

https://github.com/tierpod/dmarc-report-converter/blob/master/README.mdThis sounds like what you want. I have no first hand experience with the code but I am going to put this on my "lock down" task list. I like the idea of the code mailing a HTML report. This way I don't have to expose the repor

Re: Outgoing DANE not working

> On Apr 13, 2020, at 7:18 AM, Christian wrote: > > FYI: I put your findings forward to the musl-libc mailing list and > asked what they now think what should be done. The problem can be partly resolved by setting the "AD" bit in the outgoing
DNS query header sent by the musl-libc stub resolve

Re: DMARC reports - Open Source solution

Thanks Benny I wanted to have a open source dmarc dashboard, where it can read the rua emails and parse it on the dashboard. Is this doable using open source. Regards Ahsan On Mon, Apr 13, 2020 at 10:23 PM Benny Pedersen wrote: > On 2020-04-13 07:36, Ahsan Khan wrote: > > Hello All > > > >

Re: postfix 3.5.0 + gcc10 build fail, "multiple definition of `var_inet_protocols'; master_vars.o:(.bss+0x10): first defined here" ?

On 4/13/20 9:51 AM, PGNet Dev wrote: > haven't seen this b4. not sure if something's changed, my config's wrong, or > this is a GCC-10 sensitivity ... looks like GCC10 related switching from CC=/usr/bin/gcc-10 CXX=/usr/bin/g++-10 to CC=/usr/bin/clang CXX=/usr/

Re: DMARC reports - Open Source solution

On 2020-04-13 07:36, Ahsan Khan wrote: Hello All I have a domain where my DMARC reports are delivered to my email address. I want to integrate it with a dashboard. Does anyone know of a open source solution where these XML reports can be read and published?. https://easydmarc.com/tools google

postfix 3.5.0 + gcc10 build fail, "multiple definition of `var_inet_protocols'; master_vars.o:(.bss+0x10): first defined here" ?

(my bad, shouldn't have sent to -devel) i'm building a new/clean postfix 3.5.0 instance on linux/64 currently, with gcc --version gcc (SUSE Linux) 10.0.1 20200408 (experimental) [revision 13e41d8b9d3d7598c72c38acc86a3d97046c8373] my usually problem-free `make`,

Re: Outgoing DANE not working

To finalise this as solved Just moved Postfix to a Debian based container and now DANE is working as expected. Hence if anyone comes by this thread, follow Viktors advice: > DO NOT run Postfix over musl-libc. Hence not on regular Alpine.

Re: Outgoing DANE not working

Am Montag, den 13.04.2020, 06:57 -0400 schrieb Viktor Dukhovni: > > On Apr 13, 2020, at 6:38 AM, Christian wrote: > > Nevertheless, it should probably be included in the Postfix DANE > documentation to avoid muslc setups with postfix for now. > > Postfix expects a C-library implementation of the D

Re: Outgoing DANE not working

> On Apr 13, 2020, at 6:38 AM, Christian wrote: > > Nevertheless, it should probably be included in the Postfix DANE > documentation to avoid muslc setups with postfix for now. Postfix expects a C-library implementation of the DNS stub resolver routines that is compatible with the original BSD d

Re: Outgoing DANE not working

Am Montag, den 13.04.2020, 05:52 -0400 schrieb Viktor Dukhovni: > > On Apr 13, 2020, at 4:56 AM, Christian wrote: > > The container is running on alpine, hence with muslc libc. After > seeing > the tcpdump yesterday, I thought as well, if that could be an issue. > > I am no programmer, however 2 t

Re: Outgoing DANE not working

> On Apr 13, 2020, at 5:52 AM, Viktor Dukhovni > wrote: > > Indeed searching the github repo for RES_USE_DNSSEC and RES_USE_EDNS0 finds > hits only the header file, and similarly: > > > https://raw.githubusercontent.com/runtimejs/musl-libc/master/src/network/res_state.c > > pretty much rules

Re: Outgoing DANE not working

>> The validator [1] says TLSA is ok, so is this even be a DNS issue? If I >> have to guess, Postfix encounters the following situation: >> >> >> When TLSA records are found, but are all unusable the effective security >> level is "encrypt" >> >> The documentation does not state that self-signed c

Re: Outgoing DANE not working

> On Apr 13, 2020, at 4:56 AM, Christian wrote: > > The container is running on alpine, hence with muslc libc. After seeing > the tcpdump yesterday, I thought as well, if that could be an issue. > > I am no programmer, however 2 things strike me: > Dig is able to construct a proper request and I

Re: Outgoing DANE not working

Hi Damian, Am Montag, den 13.04.2020, 11:22 +0200 schrieb Damian: > The validator [1] says TLSA is ok, so is this even be a DNS issue? If I > have to guess, Postfix encounters the following situation: > > > When TLSA records are found, but are all unusable the effective security > level is "encry

Re: Outgoing DANE not working

[ To the OP: feel free to ignore the below response, it is irrelevant. ] > On Apr 13, 2020, at 5:22 AM, Damian wrote: > > The validator [1] says TLSA is ok, so is this even be a DNS issue? If I > have to guess, Postfix encounters the following situation: > >> When TLSA records are found, but ar

Re: Outgoing DANE not working

The validator [1] says TLSA is ok, so is this even be a DNS issue? If I have to guess, Postfix encounters the following situation: > When TLSA records are found, but are all unusable the effective security > level is "encrypt" The documentation does not state that self-signed certificates are in

Re: Outgoing DANE not working

Hello Viktor, thanks again, please see my answers inline. Am Sonntag, den 12.04.2020, 22:47 -0400 schrieb Viktor Dukhovni: > On Mon, Apr 13, 2020 at 02:12:49AM +0200, Christian wrote: > > > thanks for the response! Apparently the mail was too long (>4000) and > got rejected, hence I put it to past