tlsa for smtp to @bugs.debian.org

To: debian-devel@lists.debian.org
Subject: tlsa for smtp to @bugs.debian.org
From: James Cloos <cloos@jhcloos.com>
Date: Wed, 11 Sep 2013 20:14:30 -0400
Message-id: <[🔎] m3hadq7v5s.fsf@carbon.jhcloos.org>

First of all, thanks for adding the TLSA RR for _25._tcp.buxtehude.debian.org.

It is a significant step forward, even given the following.

Sadly, using postfix 2.11-20130825-1 for outgoing smtp with:

  smtp_tls_note_starttls_offer = yes
  smtp_use_tls = yes
  smtp_dns_support_level = dnssec
  smtp_tls_security_level = dane

If I test with:

  gnutls-cli --dane --local-dns --no-ca-verification --starttls --port 25 buxtehude.debian.org

it connects, negotiates the tls and verifies the tlsa as expected.

Without dnssec enabled in postfix's config (which consequently disables
dane), the tls handshake still fails, but postfix continues on w/o tls.
(It is /oportunistic/ tls, in that case.)

This seems to be an openssl vs exim issue.

I'm sending this here to confirm whether the @deb MXs work....

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply to:

Follow-Ups:
- Re: tlsa for smtp to @bugs.debian.org
  - From: James Cloos <cloos@jhcloos.com>
- Re: tlsa for smtp to @bugs.debian.org
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: Re: #688251: Built-Using description too aggressive
Next by Date: Re: tlsa for smtp to @bugs.debian.org
Previous by thread: Re: Bug#688251: #688251: Built-Using description too aggressive
Next by thread: Re: tlsa for smtp to @bugs.debian.org
Index(es):
- Date
- Thread