Sorry about the confusion.

In Patricks and Carstens PDF file there are two examples.

I think they describe outgoing connections, right?
There are the keywords „Verified“ and „Untrusted“, so far so good.

But what is about incoming connections?
There seems to be no parameter like smtpd_tls_security_level or smtpd_dns_support_level.

Is it not possible to verify incoming connections which in my opinion is more important than outgoing?

And in my log file there are only anonymous TLS connections which means: no CA-signed certificate, right?


Frank

Am 15.01.2015 um 15:25 schrieb Frank Fiene <ffiene@veka.com>:


Am 15.01.2015 um 14:10 schrieb Michael Schwartzkopff <ms@sys4.de>:

Am Donnerstag, 15. Januar 2015, 13:46:39 schrieb Frank Fiene:
The „da" flag is missing!?

„ad"

Sigh, Apple ...


Am 15.01.2015 um 13:06 schrieb Patrick Ben Koetter <p@sys4.de>:

dig +dnssec dane.sys4.de <http://dane.sys4.de/>

root@mail:/home/ffiene# dig +dnssec dane.sys4.de +m

; <<>> DiG 9.9.5-3-Ubuntu <<>> +dnssec dane.sys4.de +m
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53974
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5


Your resolver gets all the dnssec relevant RR of the domain, but does not
check if the RRSIG are really correct. Please check the same with a dnssec
enabled resolver. 8.8.8.8 for instance does check the signatures.

dig @8.8.8.8 +dnssec sys4.de

you will see, that the "ad" flag ist present in the answer.

Next step: Install a dnssec aware resolver.

On the other mailserver with no local DNS server (the other mailserver has a local DNS server which forwards to the same as this one):

root@mail1:/etc/postfix# dig +dnssec dane.sys4.de +m

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> +dnssec dane.sys4.de +m
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42645
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1


But still anonymous TLS connections only!



Frank

Mit freundlichen Grüßen,

Michael Schwartzkopff

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Viele Grüße!
i.A. Frank Fiene
-- 
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene@veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster


Viele Grüße!
i.A. Frank Fiene
-- 
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene@veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster