Bug 11893

Summary: Mails from the main mail server to internal servers cannot be delivered
Product: Infrastructure Reporter: Michael Tremer <michael.tremer>
Component: Mail & Mailing ListsAssignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact: Peter Müller <peter.mueller>
Severity: Major Usability    
Priority: Will affect an average number of users CC: morlix
Version: unspecified   
Hardware: unspecified   
OS: Unspecified   
URL: https://www.linuxtopia.org/online_books/mail_systems/postfix_documentation/TLS_README_005.html
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=11898

Description Michael Tremer 2018-10-04 14:30:12 UTC 
This seems to be the problem:

> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.web02.i.ipfire.org type=TLSA: Host not found, try again
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.web02.i.ipfire.org type=TLSA: Host not found, try again
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: TLS policy lookup for [web02.i.ipfire.org]/web02.i.ipfire.org: TLSA lookup error for web02.i.ipfire.org:25
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: TLS policy lookup for [web02.i.ipfire.org]/web02.i.ipfire.org: TLSA lookup error for web02.i.ipfire.org:25
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: E330021B9E5D: to=<bugzilla@web02.i.ipfire.org>, orig_to=<bugzilla@ipfire.org>, relay=none, delay=5.5, delays=0.38/0.03/5.1/0, dsn=4.7.5, status=deferred (TLSA lookup error for web02.i.ipfire.org:25)

However, after a couple of retries, postfix is able to deliver this email.
Comment 1 Peter Müller 2018-10-04 18:40:54 UTC 
Yes, it falls back to "encrypted" delivery policy.

Until #11898 is ready, delivery to internal systems must using this policy by default.
Comment 2 Peter Müller 2018-10-04 18:58:35 UTC 
Problem should be solved by using a TLS specific map for internal transports.

As mentioned, this is only a temporary solution.

Please test and confirm.
Comment 3 Michael Tremer 2018-10-04 19:12:23 UTC 
Thanks for looking at this.

Do you have any idea why this wasn't really an issue for a long time and now
every single email seems to be running into it?
Comment 4 Peter Müller 2018-11-09 17:57:44 UTC 
After the mail session we had yesterday, I think this is fixed. Is it?
Comment 5 Michael Tremer 2018-11-10 12:11:39 UTC 
Yes... still need to test this a little, but I guess this is done.