tlsa for smtp to @bugs.debian.org
First of all, thanks for adding the TLSA RR for _25._tcp.buxtehude.debian.org.
It is a significant step forward, even given the following.
Sadly, using postfix 2.11-20130825-1 for outgoing smtp with:
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
If I test with:
gnutls-cli --dane --local-dns --no-ca-verification --starttls --port 25 buxtehude.debian.org
it connects, negotiates the tls and verifies the tlsa as expected.
Without dnssec enabled in postfix's config (which consequently disables
dane), the tls handshake still fails, but postfix continues on w/o tls.
(It is /oportunistic/ tls, in that case.)
This seems to be an openssl vs exim issue.
I'm sending this here to confirm whether the @deb MXs work....
James Cloos <email@example.com> OpenPGP: 1024D/ED7DAEA6