Mike:
> Postfix 2.11.5 on FreeBSD 10.1 AMD64
>
> I'm starting to look at implementing DANE on Postfix, and I have a
> question or two...
>
> Reading the info here:
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> I see the following prerequisite:
> "A compile-time DNS resolver library that supports DNSSEC. Postfix
> binaries built on an older system will not support DNSSEC even if
> deployed on a system with an updated resolver library."
Postfix needs to be build on a system where libresolv supports
DNSSEC. This is already available in a FreeBSD 7.2 virtual machine
that I have lying around.
freebsd72% grep RES_USE_DNSSEC /usr/include/resolv.h
#define RES_USE_DNSSEC 0x00200000 /*%< use DNSSEC using OK bit in OPT */
> I'm running unbound as my local resolver, but I don't know what Postfix
> was compiled with, as I installed it from a FreeBSD package. Is there a
> way to see if this prerequisite has been satisfied by the version of
> Postfix I am running on my system.
% strings /usr/libexec/postfix/smtp | grep -i tlsa
lmtp_tls_force_insecure_host_tlsa_lookup
smtp_tls_force_insecure_host_tlsa_lookup
TLSA lookup error for %s:%u
no TLSA records found
TLSA records unusable
> Another question - let's suppose I have succeeded in implementing DANE.
> Will I see any evidence of that success in the Postfix logs or message
> headers (such as I see for TLS)?
With opportunistic TLSA, I suppose it will say something.
Wietse
