On Thu, Apr 09, 2015 at 01:14:19AM +0200, Benny Pedersen wrote:
If you need a DNSSEC-enabled destination to test your DANE setup, send a message to sink@dane.sys4.de. It will accept your message and discard it.
Check your log for a line "to dane.sys4.de". If it reads "Verified TLS connection" (Postfix) your DANE setup works properly.
This tests outbound DANE settings in the Postfix SMTP client.
posttls-finger example.org
This tests inbound DANE TLSA records in the Postfix SMTP server.
Apr 8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
yes
named.conf: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane
These are Postfix SMTP client settings.
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration of remote domains, not the client settings of the local MTA which it mostly does not use. (It does rely on the same working resolver).