Am 2024-06-25 08:44, schrieb Jeff Pang via Postfix-users:
Hellosorry for the beginner question. how to deploy the following email security features? RFC 7672 SMTP-DANE
Outgoing: # validate DANE smtp_dns_support_level = dnssecsmtp_tls_security_level = dane # or dane-only (https://www.postfix.org/TLS_README.html)
Incoming: - setup DNSSEC for your domain (out of scope here on the postfix list) - publish TLSA recordse.g. https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix (not everything there is endorsed by several people on this list, specially not the TLS settings in part IV (interoperability vs. "do you really know what you are doing"), what you have to do depends on what you need to protect against (or which checkboxes you have to tick in a report), I provide this link as it gives a good overview about what is involved, not about the particular settings (e.g. you may want to skip large parts of part IV), you may want to use letsencrypt or similar instead of a self-signed cert, you may want to use the PKI cert in the TLSA record (or not), ...).
RFC 8461 MTA-STS
Incoming (out of scope for the postfix list): - setup of webserver which serves the MTA-STS file - DNS recordse.g. https://www.digitalocean.com/community/tutorials/how-to-configure-mta-sts-and-tls-reporting-for-your-domain-using-apache-on-ubuntu-18-04 (info: there exist online services and local tools to investigate TLSA reports)
Outgoing:Postfix doesn't come with support for this out of the box. There is https://github.com/Snawoot/postfix-mta-sts-resolver but it has drawbacks (pointed out in the docu).
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
