The smtp local client tries to verifiy the TLSA entries by using DNSSEC.
I simply use a local unbound DNS server.
This setting stopped working after the upgrade. Maybe the posttls-finger is not so important, but this will trouble all mail admins who have some dane-only entries in their policy (Oops, my DNS Server DNSSEC is bogus -> Nope. Probably the other mail server isn't DANE safe anymore -> Nope.).
Thanks for your replies.
@andreas:
Well, it was a bit hidden in my bug report but the real issue is that postfix doesn't delivers mail to dane-only domains:
to=<email address hidden>, relay=none, delay=2126, delays= 2126/0. 01/0/0, dsn=4.7.5, status=deferred (non DNSSEC destination)
I created one test account you may use to send some local mail to: <email address hidden>
This is valid DANE domain and to reproduce the issue use the following tls policies:
smtp_tls_ policy_ maps = hash:/etc/ postfix/ tls_policy
$ cat /etc/postfix/ tls_policy
bueren.space dane-only
The smtp local client tries to verifiy the TLSA entries by using DNSSEC.
I simply use a local unbound DNS server.
This setting stopped working after the upgrade. Maybe the posttls-finger is not so important, but this will trouble all mail admins who have some dane-only entries in their policy (Oops, my DNS Server DNSSEC is bogus -> Nope. Probably the other mail server isn't DANE safe anymore -> Nope.).