Sorry about the confusion.
In Patricks and Carstens PDF file there are two examples.
I think they describe outgoing connections, right? There are the keywords „Verified“ and „Untrusted“, so far so good.
But what is about incoming connections? There seems to be no parameter like smtpd_tls_security_level or smtpd_dns_support_level.
Is it not possible to verify incoming connections which in my opinion is more important than outgoing?
And in my log file there are only anonymous TLS connections which means: no CA-signed certificate, right?
Frank
Am 15.01.2015 um 15:25 schrieb Frank Fiene ffiene@veka.com:
Am 15.01.2015 um 14:10 schrieb Michael Schwartzkopff <ms@sys4.de mailto:ms@sys4.de>:
Am Donnerstag, 15. Januar 2015, 13:46:39 schrieb Frank Fiene:
The „da" flag is missing!?
„ad"
Sigh, Apple ...
Am 15.01.2015 um 13:06 schrieb Patrick Ben Koetter <p@sys4.de mailto:p@sys4.de>:
dig +dnssec dane.sys4.de http://dane.sys4.de/ <http://dane.sys4.de/ http://dane.sys4.de/>
root@mail:/home/ffiene# dig +dnssec dane.sys4.de http://dane.sys4.de/ +m
; <<>> DiG 9.9.5-3-Ubuntu <<>> +dnssec dane.sys4.de http://dane.sys4.de/ +m ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53974 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5
Your resolver gets all the dnssec relevant RR of the domain, but does not check if the RRSIG are really correct. Please check the same with a dnssec enabled resolver. 8.8.8.8 for instance does check the signatures.
dig @8.8.8.8 +dnssec sys4.de http://sys4.de/
you will see, that the "ad" flag ist present in the answer.
Next step: Install a dnssec aware resolver.
On the other mailserver with no local DNS server (the other mailserver has a local DNS server which forwards to the same as this one):
root@mail1:/etc/postfix# dig +dnssec dane.sys4.de http://dane.sys4.de/ +m
; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> +dnssec dane.sys4.de http://dane.sys4.de/ +m ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42645 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
But still anonymous TLS connections only!
Frank
Mit freundlichen Grüßen,
Michael Schwartzkopff
-- [*] sys4 AG
http://sys4.de http://sys4.de/, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Viele Grüße! i.A. Frank Fiene -- Frank Fiene IT-Security Manager VEKA Group
Fon: +49 2526 29-6200 Fax: +49 2526 29-16-6200 mailto: ffiene@veka.com mailto:ffiene@veka.com http://www.veka.com http://www.veka.com/
PGP-ID: 62112A51 PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51 Threema: VZK5NDWW
VEKA AG Dieselstr. 8 48324 Sendenhorst Deutschland/Germany
Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO), Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler, Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer HRB 8282 AG Münster/District Court of Münster
Viele Grüße! i.A. Frank Fiene