On Sep 4, 2018, at 3:54 AM, Andreas Schulze andreas.schulze@datev.de wrote:
unsure it that topic may better discussed on postfix-users....
This probably belongs on the Postfix-users list, but perhaps not a bad idea if other DANE users also know.
I'm messages for *@sushi-circle.de in my outbound deferred queue. Sep 2 11:15:38 idvmailout02 postfix/smtp[73811]: 422V1C0rjyzNkGv: to=***@sushi-circle.de, relay=none, delay=88795, delays=88794/0.24/0.61/0, dsn=4.7.5, status=deferred (TLSA lookup error for login.enterprise-email.com:25) Sep 2 11:15:38 idvmailout02 postfix/smtp[73811]: warning: TLS policy lookup for sushi-circle.de/login.enterprise-email.com:TLSA lookup error for login.enterprise-email.com:25 Sep 2 11:15:38 idvmailout02 postfix/smtp[73811]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.login.enterprise-email.com type=TLSA: Host not found, try again Sep 2 11:15:37 idvmailout02 postfix/smtp[73811]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.login.enterprise-email.com type=TLSA: Host not found, try again
I wonder, why postfix try to lookup TLSA Records for the MX at all. The destination domain sushi-circle.de is unsigned and so any TLSA for the MX don't matter. Is there any switch to influence that behavior?
http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy.
Bottom line, DNSSEC-signed domains need to have working DNSSEC. You can disable DNSSEC for enterprise-email.com in your resolver and fix all the domains (~40 according to viewdns.info) that happen to use its MX hosts. In unbound that would be:
/etc/unbound/unbound.conf: server: domain-insecure: "enterprise-email.com"
However, in this case the real issue is that the nameservers for enterprise-email.com don't handle empty non-terminals correctly:
http://dnsviz.net/d/_25._tcp.login.enterprise-email.com/dnssec/
An alternative fix is to disable qname-minimization (which does run into interop issues in such cases):
server: qname-minimisation: no
Then you'll find that the TLSA records actually exist! And mail to this domain will be partly protected by DANE (barring forged MX records, which leave forensic evidence in your logs).