Tom Hendrikx:
-- Start of PGP signed section.
> Hi,
>
> I configured my mailserver to use DANE for outbound mail whenever
> possible, but I am having a hard time in verifying that this actually
> works.
>
> When I use posttls-finger from the machine, it indicates "Verified TLS
> connection established" when i point to a few mxen that are known to
> have TLSA records available (because they were announced here).
> However, this does not test postfix itself.
Try: "sendmail -bv u...@example.com"
> One notable difference between posttls-finger and postfix (as
> described in the documentation) is that postfix would only use the
> TLSA record for deciding on a "verified" connection when the resolver
> is running on localhost, while posttls-finger also accepts dnssec data
> from a remote resolver (I run unbound in a different VM on the same
> piece of hardware).
Postfix does not parse /etc/resolv.conf.
There is no reason why Postfix can't receive responses from a remote
DNSSEC-validating resolver. It is however not a good idea to go out
over a network with untrusted machines.
Wietse
