On Tue, Jul 14, 2015 at 01:31:16PM +0200, Andreas Schulze wrote:
Hello,
messages to *@ewnederland.nl are deferred by postfix-3.0.x here.
https://dane.sys4.de/smtp/ewnederland.nl say "No TLSA records." in contrast: # posttls-finger ewnederland.nl posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.remote.meulen.nl type=TLSA: Host not found, try again posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.remote.meulen.nl type=TLSA: Host not found, try again posttls-finger: Failed to establish session to ewnederland.nl via remote.meulen.nl: TLSA lookup error for remote.meulen.nl:25
as a workaround I configure "ewnederland.nl may" in smtp_tls_policy_map. are there better ways?
Try again, the domain is returning validated NXDOMAIN responses for that qname now. Perhaps meulen.nl had a brief DNSSEC outage (failed to sign the zone promptly). Right now all's well:
http://dnsviz.net/d/_25._tcp.remote.meulen.nl/dnssec/
You should not see any problems after flushing your resolver's cache (for at least meulen.nl and is.nl).
As for "better ways", in principle, the right response is to flush resolver caches first, to see whether any DNS problems are fixed on the receiving end. Also check the TLSA base domain via dnsviz.net and the email domain via https://dane.sys4.de.
If everybody agrees its broken, and you've urgent mail to send, yes, you can change the Postfix policy to "encrypt" or "may". Drop their postmaster a note to let them know about the problem, and ask them to notify you when it is resolved.
You don't want to get stuck with long-term manual overrides in your policy table.
My list of persistently broken (wrong TLSA RRset) domains is:
0x20.eu 1post.de cutspin.com dilruacs.nl fonsecu.de fromix.de joworld.net secufon.de tsimnet.eu yu.am yuam.net
the owners of these domains did not respond to my email alerting them to the problem.
I know of another ~90 domains with persistently inaccessible TLSA RRsets due to misconfigured firewalls or buggy nameservers (compare with >1500 with a working DANE configuration).
bb.b.br enfam.jus.br justicaeleitoral.jus.br stj.jus.br tre-al.jus.br tre-ba.jus.br tre-ce.jus.br tre-go.jus.br tre-ma.jus.br tre-mg.jus.br tre-ms.jus.br tre-mt.jus.br tre-pb.jus.br tre-pe.jus.br tre-pr.jus.br tre-rn.jus.br tre-rs.jus.br tre-sp.jus.br ea5dfv.cat autorelaxed.com convoglio.com edsi-tech.com gleez.com nmihi.com pilotnordic.com 1000listku.cz ceskearchivy.cz fermontplus.cz fosfa.cz linuxdays.cz palat.cz pozorkliste.cz thosting.cz vetclinic.cz vkh.cz pe82.de truman.edu 64bitswebhosting.eu exceed-it.eu studienportal.eu kepa.fi africanamericanhistorymonth.gov americaslibrary.gov asianpacificheritage.gov congress.gov copyright.gov crs.gov digitalpreservation.gov digitizationguidelines.gov lis.gov nativeamericanheritagemonth.gov read.gov techtrack.gov womenshistorymonth.gov dnet.net.id asis.io 192.jp dw.centcom.mil pasla.net kas.eabo.nl famklijsen.nl freshned.nl gmahengelo.nl h0st.nl lewins.nl lgms.nl maartenburie.nl main.mc-creative.nl tvk.nl vrijeuitgevers.nl xnyhps.nl zenger.nl flashmedia.no gustavsenas.no jfcns.net.nz patriotguard.org alltforhundar.se ap2.se cloud.ekenberg.se fokau.se ludl.se manc.se minhyresvard.se nllplus.se ostebro.se rafel.se statskontoret.se mof.gov.tw