I‘m perplexed. I never saw that configuration parameter until now and apparently misinterpreted my Postfix logs. Glad this isn’t an issue. Thanks!
> Am 08.02.2025 um 17:42 schrieb Viktor Dukhovni via Postfix-users > <postfix-users@postfix.org>: > > On Sat, Feb 08, 2025 at 05:28:31PM +0100, Ömer Güven via Postfix-users wrote: > >> RFC 7672 says that Opportunistic DANE (security level „dane“, but not >> „dane-only“) may accept non-DNSSEC derived MX records be eligible for >> DANE on the DNSSEC-signed (e. g. external) SMTP server. >> >> RFC 7672 Section 2.2.1: > > The primary author of RFC 7672 was also the implementor of DANE support > in Postfix (and later OpenSSL), with the implementation developed in > parallel with the specification. Unsurprisingly, the Postfix > implementation matches the specification. > >> This currently isn‘t the case. Even if a socketmap server returns >> „dane“, Postfix doesn‘t choose DANE when the MX is retrieved with no >> DNSSEC signature. > > This is not true. See: > > http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
