Hi Andreas,
On 3-9-18 15:07, Andreas Schulze wrote:
Am 03.09.2018 um 12:57 schrieb Jan-Pieter Cornet:
On smtp.xs4all.nl we enabled DANE outgoing verification, but currently only with a "soft fail": if DANE fails, we fallback to non-DANE delivery... for now. Except for a few hardcoded domains (currently only our own, and havedane.net). If anyone feels confident about their own DANE setup, feel free to send me your domain (or domains), and I'll add it to the list of hardfails.
cool stuff! I assume you use postfix. Could you be more verbose on how you implement what you name as "soft fail"?
No, we use Cloudmark Gateway (version 5.5.2 at the moment).
I'm currently not aware how to configure the "log dane failures but deliver anyway"
This MTA is fairly programmable. The way we implemented 'soft fail' is by inspecting the error in the "temp fail" phase. If that indicates a DANE problem (either bad TLSA records, bad certificate, or no TLS at all), then we re-queue the message for delivery within a few seconds, but marked as "no DANE".
So what that effectively does is connect to the remote MX, notice that there's a problem and close the connection again. Then a few seconds later you get another connection, but this time we do not check DANE, and delivery proceeds with only opportunistic TLS.
I'll use it to see if there are any more domains that need to be put on the dane-fail list.
Our domain (datev.de) could be a candidate for your "hardcoded domains". But I expect there is virtually no traffic between your and my users :-/
Actually, there is some traffic, a few mails a day it seems :). I've added your domain to the list. (Check out connections from 194.109.24.0/26. smtp.xs4all.nl is a cluster, and the frontend IP address is never going to make outgoing connections, but the cluster members are, which are in that network).
Andreas