Patrick Ben Koetter skrev den 2015-04-08 19:57:
If you need a DNSSEC-enabled destination to test your DANE setup, send a message to sink@dane.sys4.de. It will accept your message and discard it.
+1
Check your log for a line "to dane.sys4.de". If it reads "Verified TLS connection" (Postfix) your DANE setup works properly.
posttls-finger example.org
where example.org here is the dane test domain, much more simple test
if postfix already is configured as a dane client
Here's a log example:
Apr 8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
yes
named.conf: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de