[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

tlsa for smtp to @bugs.debian.org

First of all, thanks for adding the TLSA RR for _25._tcp.buxtehude.debian.org.

It is a significant step forward, even given the following.

Sadly, using postfix 2.11-20130825-1 for outgoing smtp with:

  smtp_tls_note_starttls_offer = yes
  smtp_use_tls = yes
  smtp_dns_support_level = dnssec
  smtp_tls_security_level = dane

If I test with:

  gnutls-cli --dane --local-dns --no-ca-verification --starttls --port 25 buxtehude.debian.org

it connects, negotiates the tls and verifies the tlsa as expected.

Without dnssec enabled in postfix's config (which consequently disables
dane), the tls handshake still fails, but postfix continues on w/o tls.
(It is /oportunistic/ tls, in that case.)

This seems to be an openssl vs exim issue.

I'm sending this here to confirm whether the @deb MXs work....

James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply to: