On May 18, 2017, at 3:23 AM, Bart Knubben wrote:

1. Check this new tool for testing if your mail server checks DANE when sending email: https://havedane.net

It is a step in the right direction, though testing should ultimately be much more comprehensive. * Test that "expired" certificates are accepted with DANE-EE(3) * Test that matching hostnames are not required with DANE-EE(3) * Test multiple DANE-EE(3) SPKI(1) SHA2-256(1) records with just one matching the chain. * Probe for digest agility support, test a working SHA2-512(2) a non-working SHA2-256(1) and vice versa. * Test DANE-TA(2) support with TA certificate in the server chain * Test DANE-TA(2) with wildcard leaf certificate. * Test DANE-TA(2) with expired leaf certificates, or non-matching DNS-ID. * Test optional DANE-TA(2) SPKI(1) Full(0) support with the trust anchor public key in DNS and the full certificate NOT provided in the chain (Postfix supports this, other MTAs might not. Per RFC7671 support this corner case is optional, and servers MUST include the trust anchor CA certificate in their chain. * Test support for a combination of a DANE-TA(2) and a DANE-EE(3) -- Viktor. (both cases). * Test TLSA record lookup failures (broken RRsig, broken denial of existence, ...) * Test DNSSEC-signed domains with MX hostnames in an unsigned zone. Their TLSA records should not be looked up (delegate "_tcp" to non-responding and perhaps query-logging servers, sender should not be delayed by trying to look these up). ... If you want to check that your Postfix is doing DANE minimally correctly per this site, just try: $ myemail=... $ sendmail -bv -f $myemail probe-rcpt@wrong.havedane.net $ sendmail -bv -f $myemail probe-rcpt@do.havedane.net $ sendmail -bv -f $myemail probe-rcpt@dont.havedane.net Then check your logs. You should see something along the lines of: May 18 10:10:59 amnesiac postfix/pickup[60085]: B48AC3904F: uid=1001 from=<...> May 18 10:10:59 amnesiac postfix/cleanup[60313]: B48AC3904F: message-id=<20170518141059.B48AC3904F@amnesiac.imrryr.org> May 18 10:10:59 amnesiac postfix/qmgr[17091]: B48AC3904F: from=<...>, size=316, nrcpt=1 (queue active) May 18 10:11:00 amnesiac postfix/smtp[60315]: certificate verification failed for wrong.havedane.net[5.79.70.105]:25: untrusted issuer /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain May 18 10:11:00 amnesiac postfix/smtp[60315]: Untrusted TLS connection established to wrong.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) May 18 10:11:00 amnesiac postfix/smtp[60315]: B48AC3904F: to=, relay=wrong.havedane.net[5.79.70.105]:25, delay=1.2, delays=0.03/0.01/1.2/0, dsn=4.7.5, status=undeliverable (Server certificate not trusted) May 18 10:11:01 amnesiac postfix/bounce[60328]: B48AC3904F: sender delivery status notification: 0CA8939052 May 18 10:11:01 amnesiac postfix/qmgr[17091]: B48AC3904F: removed May 18 10:11:18 amnesiac postfix/pickup[60085]: D1FFC39054: uid=1001 from=<...> May 18 10:11:18 amnesiac postfix/cleanup[60313]: D1FFC39054: message-id=<20170518141118.D1FFC39054@amnesiac.imrryr.org> May 18 10:11:18 amnesiac postfix/qmgr[17091]: D1FFC39054: from=<...>, size=313, nrcpt=1 (queue active) May 18 10:11:19 amnesiac postfix/smtp[60315]: Verified TLS connection established to do.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) May 18 10:11:19 amnesiac postfix/smtp[60315]: D1FFC39054: to=<47e517f26634fd03@do.havedane.net>, relay=do.havedane.net[5.79.70.105]:25, delay=1, delays=0/0/0.93/0.1, dsn=2.1.5, status=deliverable (250 2.1.5 Ok) May 18 10:11:19 amnesiac postfix/bounce[60328]: D1FFC39054: sender delivery status notification: F024239056 May 18 10:11:19 amnesiac postfix/qmgr[17091]: D1FFC39054: removed May 18 10:11:36 amnesiac postfix/pickup[60085]: 8385E39058: uid=1001 from=<...> May 18 10:11:36 amnesiac postfix/cleanup[60313]: 8385E39058: message-id=<20170518141136.8385E39058@amnesiac.imrryr.org> May 18 10:11:36 amnesiac postfix/qmgr[17091]: 8385E39058: from=<...>, size=315, nrcpt=1 (queue active) May 18 10:11:37 amnesiac postfix/smtp[60315]: Anonymous TLS connection established to dont.havedane.net[5.79.70.105]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits) May 18 10:11:37 amnesiac postfix/smtp[60315]: 8385E39058: to=<47e517f26634fd03@dont.havedane.net>, relay=dont.havedane.net[5.79.70.105]:25, delay=1, delays=0/0/0.91/0.09, dsn=2.1.5, status=deliverable (250 2.1.5 Ok) May 18 10:11:37 amnesiac postfix/bounce[60328]: 8385E39058: sender delivery status notification: 99CC23905A May 18 10:11:37 amnesiac postfix/qmgr[17091]: 8385E39058: removed -- Viktor.