On Fri, Jan 30, 2015 at 08:54:48AM +0100, Wolfgang Rosenauer wrote:
Anyway testing sending from one of my already enabled Postfix systems to the new one I only get "Anonymous TLS connection established" while the DANE validator https://dane.sys4.de/smtp reports everything green for the target.
Any ideas? (target is mail.tismail.net)
$ postconf mail_version mail_version = 3.0-20150129
$ posttls-finger -c -Lsummary tismail.net posttls-finger: Verified TLS connection established to mail.tismail.net[185.27.180.68]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
(By the way tismail2.net is broken, publishes TLSA RRs, but does not offer STARTTLS).
Your DNS resolver is likely returning non-DNSSEC results. Take this question to the Postfix-users list.
* Your smtp(8) delivery agent may be chrooted, and the resolv.conf file in the chroot jail may differ from the one in /etc, in any case one or the other may not be pointing at a loopback DNSSEC validating resolver.
* Your Postfix configuration settings may be wrong.
smtp_dns_support_level = dnssec smtp_tls_security_level = dane
* Your Postfix version may not be 2.11.3 or later.
* Your C library may not return the "AD" bit in DNSSEC replies (OpenBSD seems to have this problem).
When asking questions on the Postfix-users list, don't forget to include all relevant logging, your "postconf -n" output (not mangled by HTML email and without rewrapping of lines), all relevant master.cf entries, the resolv.conf file content in and out of chroot, relevant TLS policy table entries, the Postfix version, the OS version, ...
Don't provide needlessly verbose logs, just the basics with TLS loglevel=1.
http://www.postfix.org/DEBUG_README.html#mail