[pfx] Re: [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Viktor Dukhovni via Postfix-users Sat, 08 Feb 2025 08:41:36 -0800

On Sat, Feb 08, 2025 at 05:28:31PM +0100, Ömer Güven via Postfix-users wrote:


>    RFC 7672 says that Opportunistic DANE (security level „dane“, but not
>    „dane-only“) may accept non-DNSSEC derived MX records be eligible for
>    DANE on the DNSSEC-signed (e. g. external) SMTP server.
> 
>    RFC 7672 Section 2.2.1:

The primary author of RFC 7672 was also the implementor of DANE support
in Postfix (and later OpenSSL), with the implementation developed in
parallel with the specification.  Unsurprisingly, the Postfix
implementation matches the specification.

>    This currently isn‘t the case. Even if a socketmap server returns
>    „dane“, Postfix doesn‘t choose DANE when the MX is retrieved with no
>    DNSSEC signature.

This is not true.  See:

    http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [Bug report] Allow opportunistic DANE when non-DNSSEC signed MX points to DNSSEC-signed SMTP server with TLSA enabled

Reply via email to