On Sun, Feb 09, 2025 at 04:35:03PM +0100, Ömer Güven via Postfix-users wrote:
> I can only endorse this. Simply setting it to „dane“ should solve the
> hassle and make the operation more consistent and predictable.
The whole thing is a misunderstanding. The insecure MX setting is only
ever used iff the initial policy for the destiantion was dane, but the
MX host turned out insecure. So the global default should indeed not
be conditioned on the default security level, which is irrelevant.
Only the initial (before MX lookup) TLS security level for the
destination determines whether this setting is in scope.
If you enable "dane" as a default, you also get "half-dane" for the
insecure MX hosts. If the default is "may" it is naturally "may"
also for the insecure MX hosts.
If a policy table returns (opportunistic) "dane" for a site, then the
insecure MX host behave per the insecure MX setting, so the change to
make it dependent on the global default should be reverted. And all
will be well. It was correct initially.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
