ANN: DANE testing (sink@dane.sys4.de)
If you need a DNSSEC-enabled destination to test your DANE setup, send a message to sink@dane.sys4.de. It will accept your message and discard it.
Check your log for a line "to dane.sys4.de". If it reads "Verified TLS connection" (Postfix) your DANE setup works properly.
Here's a log example:
Apr 8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
p@rick
Patrick Ben Koetter skrev den 2015-04-08 19:57:
If you need a DNSSEC-enabled destination to test your DANE setup, send a message to sink@dane.sys4.de. It will accept your message and discard it.
+1
Check your log for a line "to dane.sys4.de". If it reads "Verified TLS connection" (Postfix) your DANE setup works properly.
posttls-finger example.org
where example.org here is the dane test domain, much more simple test
if postfix already is configured as a dane client
Here's a log example:
Apr 8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
yes
named.conf: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de
On Thu, Apr 09, 2015 at 01:14:19AM +0200, Benny Pedersen wrote:
If you need a DNSSEC-enabled destination to test your DANE setup, send a message to sink@dane.sys4.de. It will accept your message and discard it.
Check your log for a line "to dane.sys4.de". If it reads "Verified TLS connection" (Postfix) your DANE setup works properly.
This tests outbound DANE settings in the Postfix SMTP client.
posttls-finger example.org
This tests inbound DANE TLSA records in the Postfix SMTP server.
Apr 8 19:52:31 mail postfix/smtp[28741]: Verified TLS connection established to dane.sys4.de[2001:1578:400:111::3:1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
yes
named.conf: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane
These are Postfix SMTP client settings.
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration of remote domains, not the client settings of the local MTA which it mostly does not use. (It does rely on the same working resolver).
Viktor Dukhovni skrev den 2015-04-09 02:04:
named.conf: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
I don't recommend ISC DLV lookaside. This is obsolete.
changed to no, thanks for reminder, i knowed this but just forgot it was depricated
main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane
These are Postfix SMTP client settings.
yes but it helps when testing server imho, or is there a better way ?
from then on just use posttls-finger without any options
posttls-finger dane.sys4.de
Which are not tested by posttls-finger, it tests the DANE configuration of remote domains, not the client settings of the local MTA which it mostly does not use. (It does rely on the same working resolver).
not good ?, eg is testing own domains this way insecure in testing it self ?, local or remote is no diff there ?
posttls-finger localhost posttls-finger localhost.example.org
i tryed create a tlsa with
printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' $(uname -n) $(openssl x509 -in cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
but it failed for me after openssl upgrade to 1.0.1l
participants (3)
-
Benny Pedersen -
Patrick Ben Koetter -
Viktor Dukhovni