On Sun, Jul 26, 2015 at 01:50:58PM -0400, Mike wrote:

> I'm starting to look at implementing DANE on Postfix, and I have a
> question or two...
> 
> Reading the info here:
> http://www.postfix.org/TLS_README.html#client_tls_dane
> 
> I see the following prerequisite:
>
> "A compile-time DNS resolver library that supports DNSSEC. Postfix
> binaries built on an older system will not support DNSSEC even if
> deployed on a system with an updated resolver library."

Basically, support for the resolver flags "RES_USE_DNSSEC" and
"RES_USE_EDNS0", that's been in BSD systems for quite some time.

> I'm running unbound as my local resolver, but I don't know what Postfix
> was compiled with, as I installed it from a FreeBSD package.

It is the C and/or libresolv libraries on the build system that
determine DNS features.  If the FreeBSD release was not ancient,
you're likely fine.

> Is there a way to see if this prerequisite has been satisfied by the
> version of Postfix I am running on my system.

Send mail to one of the known DANE TLSA domains (after enabling DANE
per the documentation):

        sendmail -bv postmas...@ietf.org
        sendmail -bv postmas...@freebsd.org
        sendmail -bv postmas...@debian.org
        sendmail -bv postmas...@openssl.org
        sendmail -bv postmas...@samba.org
        sendmail -bv postmas...@torproject.org

and check the logs to see whether the TLS authentication status was
"Verified".

> Another question - let's suppose I have succeeded in implementing DANE.
>  Will I see any evidence of that success in the Postfix logs or message
> headers (such as I see for TLS)?

Just the logs, when you send mail to a DANE-enabled domain.  There
are not very many of these yet, but the numbers are growing, ~1550
in my survey, but only 21 "large enough" to appear in Google's
email "transparency" dataset.

    https://www.google.com/transparencyreport/saferemail/

A very large fraction of the domains are in Germany, where
prominent adopters include:

    bayern.de
    bund.de
    jpberlin.de
    lrz.de
    posteo.de
    tum.de
    unitymedia.de
    mailbox.org

-- 
        Viktor.

Reply via email to