On Wed, Nov 02, 2016 at 09:52:58PM +0100, Andreas Schulze wrote:
we found messages to "sushi-circle.de" stay in our MTA facing outside world: "status=deferred (TLSA lookup error for login.enterprise-email.com:25)"
That domain has broken DNS servers, as can be seen at:
http://dnsviz.net/d/_25._tcp.login.enterprise-email.com/dnssec/
The issue is that it breaks query minimization. Queries for
_tcp.login.enterprise-email.com
return a "bogus" NXDOMAIN (perhaps a DJBDNS server with rather incomplete DNSSEC support or a very out of date PowerDNS), while queries for _25._tcp return TLSA records...
Whether any particular client detects this or not rather depends on whether the client's resolver enables query minimization.
The reason TLSA records are in play for this domain, is that while the domain's zone is not DNSSEC signed, the MX host's domain is, and so by default, its TLSA records are still used with Postfix 3.1 and later:
http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy
The dane.sys4.de code does not inspect TLSA records for domains with an insecure MX RRset. You can directly test the MX host to check. Because dane.sys4.de is not doing query minimization, everything checks out.
https://dane.sys4.de/smtp/login.enterprise-email.com
I guess some piece of software is wrong...
No, rather the world is complicated, and not everything uses the same set of configuration options and runs into the same interop issues.
Query minimization provides some additional privacy, but it has costs in both latency and reliability (runs into more bugs). It is suitable for personal machines, but may not yet be wise for servers.
FWIW, The resolver I'm using at the moment is not configured for query minimization, and so:
$ posttls-finger -c -l dane sushi-circle.de posttls-finger: using DANE RR: _25._tcp.login.enterprise-email.com IN TLSA 3 0 1 DC:70:0D:9F:49:F9:D2:D0:6F:86:18:46:86:86:B3:D7:A8:DC:53:4A:CB:D5:F1:51:39:5D:4A:CF:AD:00:56:19 posttls-finger: MX RRset insecure: log verified as trusted posttls-finger: login.enterprise-email.com[95.128.200.159]:25: depth=0 matched end entity certificate sha256 digest DC:70:0D:9F:49:F9:D2:D0:6F:86:18:46:86:86:B3:D7:A8:DC:53:4A:CB:D5:F1:51:39:5D:4A:CF:AD:00:56:19 posttls-finger: login.enterprise-email.com[95.128.200.159]:25: Matched subjectAltName: login.enterprise-email.com posttls-finger: login.enterprise-email.com[95.128.200.159]:25: subjectAltName: www.login.enterprise-email.com posttls-finger: login.enterprise-email.com[95.128.200.159]:25 CommonName login.enterprise-email.com posttls-finger: login.enterprise-email.com[95.128.200.159]:25: subject_CN=login.enterprise-email.com, issuer_CN=COMODO RSA Domain Validation Secure Server CA, fingerprint=38:AC:5C:74:90:66:BA:FE:45:B1:09:31:21:96:F7:C3:55:30:E7:9C, pkey_fingerprint=A0:11:EB:11:CD:BB:E3:A1:C7:F8:B9:AA:A0:E8:02:6B:47:1A:69:28 posttls-finger: Trusted TLS connection established to login.enterprise-email.com[95.128.200.159]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)