I have two nearly equal configured ISPConfig mail systems. Mine and one at a custumers site. If my customer try to send a mail tosomebody it is not sent. Postfix log shows [postfix/smtp[53376]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.server.domain.tld type=TLSA: Host not found, try again] If i send a mail to the same recipiant the mail goes through. Why does postfix look for this record. I compared all for me relevant parts in main.cf from both systems, no difference. Both system Debian 10 latest patches, lastest ISPConfig. Thanks for help or hint Rainer
target mail1.fanucc.eu and mail2.fanuc.eu source working is smtp1.gerdakloos.de source sending denied mail.max-eckstein.de
What is the setting of smtp_tls_security_level in /etc/postfix/main.cf on the host that malfunctions?
smtp_tls_security_level = dane but on my server it is the same smtpd_tls_security_level on bth servers is may
Because your smtp_tls_security_level is set to, which is generally not a problem, except: The difference is in your dns resolver, the TLSA lookups are failing from one site and not the other. Do you use the localhost as the dns resolver? (FWIW, you almost always should on a mail server.) Is the same software answering there? (Eg. both running bind, or both unbound, etc.)? What is the domain you are trying to email to?
I know this is an old thread, but have you looked into using cloudflare for DNS, and then use tools like this: https://github.com/ekollof/gentlsa generating DANE certification?
ISPConfig supports TLSA records for quite some time, so no need to implement anything to start using DANE on your server. All you have to do is to add the TLSA record to your DNS zone in DNS manager, you do not need CloudFlare for that.
I added the 311 type record and it validated ok, but I don't know what will happen when the certificate renews. I will wait for the renewal
The TLSA record will not update automatically. You can use 2 1 1 to pin the intermediate certificate of Let's Encrypt.
Similarly, if all or most of your domains are using cloudflare for DNS (which many people have since it offers, for one, cloudflared as an option, which saves an extreme lot of hassle if you're living behind a CGNAT at home, and that's just one advantage of use CF for DNS..), it's easy to implement DANE using https://github.com/ekollof/gentlsa, or make use of their API and combine it with LetsEncrypt and the wildcard domain certs (also very handy for use in dovecot and postfix, but I digress).. It would be nice if we could just auto-export all ISPconfig DNS records towards Cloudflare. Maybe even use glue records, and then you'd have DMARC, DKIM, SPF, LetsEncrypt wildcard subdomains *and* DANE TLSA all functional in one go.
