Hello, I wrote a script to do DNS updates of the TLSA fields of DANE security by NSUPDATE (if the Let's Encrypt certificates were updated - I just modified the script so that it sends the new certificate on the mail server (Zimbra) and deploys it.
The script is here: https://howto.zw3b.fr/linux/securite/ce ... e-nsupdate
To be valid DANE : https://stats.dnssec-tools.org/explore/?zw3b.eu
postfix (Zimbra) security :Greets,
Romain
-----
Romain![:)]( "Smile")
The script is here: https://howto.zw3b.fr/linux/securite/ce ... e-nsupdate
To be valid DANE : https://stats.dnssec-tools.org/explore/?zw3b.eu
postfix (Zimbra) security :
Code:
zimbra@mail:~$ zmprov ms $(zmhostname) zimbraMtaSmtpDnsSupportLevel "dnssec"zimbra@mail:~$ zmprov ms $(zmhostname) zimbraMtaSmtpTlsSecurityLevel "dane"Romain
-----
ok thank you, I will apply your recommendation, although I receive the report with 100% good compliance.
I cannot help you with your current question.
However given the problems you describe in that debian-fr thread I highly encourage you to upgrade/fix/enhance your SPF (for each one of your sending domains).
Once you get fixed this crucial setting I suspect your DMarc reports about other systems trying to impersonate your domains should drop a lot.
Will this fix your delivers to Gmail ?
I have no idea.
Romain
Statistics: Posted by LAB3W.ORJ — Thu May 09, 2024 3:38 pm