On Sun, Jul 26, 2015 at 01:50:58PM -0400, Mike wrote:
> I'm starting to look at implementing DANE on Postfix, and I have a
> question or two...
>
> Reading the info here:
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> I see the following prerequisite:
>
> "A compile-time DNS resolver library that supports DNSSEC. Postfix
> binaries built on an older system will not support DNSSEC even if
> deployed on a system with an updated resolver library."
Basically, support for the resolver flags "RES_USE_DNSSEC" and
"RES_USE_EDNS0", that's been in BSD systems for quite some time.
> I'm running unbound as my local resolver, but I don't know what Postfix
> was compiled with, as I installed it from a FreeBSD package.
It is the C and/or libresolv libraries on the build system that
determine DNS features. If the FreeBSD release was not ancient,
you're likely fine.
> Is there a way to see if this prerequisite has been satisfied by the
> version of Postfix I am running on my system.
Send mail to one of the known DANE TLSA domains (after enabling DANE
per the documentation):
sendmail -bv postmas...@ietf.org
sendmail -bv postmas...@freebsd.org
sendmail -bv postmas...@debian.org
sendmail -bv postmas...@openssl.org
sendmail -bv postmas...@samba.org
sendmail -bv postmas...@torproject.org
and check the logs to see whether the TLS authentication status was
"Verified".
> Another question - let's suppose I have succeeded in implementing DANE.
> Will I see any evidence of that success in the Postfix logs or message
> headers (such as I see for TLS)?
Just the logs, when you send mail to a DANE-enabled domain. There
are not very many of these yet, but the numbers are growing, ~1550
in my survey, but only 21 "large enough" to appear in Google's
email "transparency" dataset.
https://www.google.com/transparencyreport/saferemail/
A very large fraction of the domains are in Germany, where
prominent adopters include:
bayern.de
bund.de
jpberlin.de
lrz.de
posteo.de
tum.de
unitymedia.de
mailbox.org
--
Viktor.
