On Wed, Oct 30, 2024 at 02:14:26PM +0100, Paul Menzel via Postfix-users wrote:
> We are using DANE, but of course the external service provider does not.
> Internally I configured the tls_policy *dane-only* for
> molgen.mpg.de/.molgen.mpg.de which of course leads to trouble in this
> situation. To work around it, I now have:
>
> molgen.mpg.de dane-only
> .molgen.mpg.de dane-only
> jobs.molgen.mpg.de encrypt
>
> Should I just switch to *dane* and be done with it, leave the special case
> entry above and harden it to *secure*, or somehow configure our server as
> MX, and then let it deliver the message to the external service provider
> SMTP server.
Both the current setup and the alternative are valid choices. All
depends on how concerned you are than some parts of your domain might
by accident end up with non-DANE MX hosts, and you'd possibly be
vulnerable to MiTM attacks when sending mail to various "molgen"
domains.
While there's only one exception, managing the exception doesn't look
onerous. You could also select specific "<something>.molgen.mpg.de"
subdomains for "dane-only" and use opportunistic DANE TLS for the
rest. Your call.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
