On 7/26/2015 2:11 PM, Wietse Venema wrote: > Mike: >> Postfix 2.11.5 on FreeBSD 10.1 AMD64 >> >> I'm starting to look at implementing DANE on Postfix, and I have a >> question or two... >> >> Reading the info here: >> http://www.postfix.org/TLS_README.html#client_tls_dane >> >> I see the following prerequisite: >> "A compile-time DNS resolver library that supports DNSSEC. Postfix >> binaries built on an older system will not support DNSSEC even if >> deployed on a system with an updated resolver library." > > Postfix needs to be build on a system where libresolv supports > DNSSEC. This is already available in a FreeBSD 7.2 virtual machine > that I have lying around. > > freebsd72% grep RES_USE_DNSSEC /usr/include/resolv.h > #define RES_USE_DNSSEC 0x00200000 /*%< use DNSSEC using OK bit in OPT */ > >> I'm running unbound as my local resolver, but I don't know what Postfix >> was compiled with, as I installed it from a FreeBSD package. Is there a >> way to see if this prerequisite has been satisfied by the version of >> Postfix I am running on my system. > > % strings /usr/libexec/postfix/smtp | grep -i tlsa > lmtp_tls_force_insecure_host_tlsa_lookup > smtp_tls_force_insecure_host_tlsa_lookup > TLSA lookup error for %s:%u > no TLSA records found > TLSA records unusable > >> Another question - let's suppose I have succeeded in implementing DANE. >> Will I see any evidence of that success in the Postfix logs or message >> headers (such as I see for TLS)? > > With opportunistic TLSA, I suppose it will say something. > > Wietse >
Bringing this thread to closure.... The domain in question has migrated to the new registrar and now has DNSSEC enabled. In the logs for Postfix client I see the "Verified" as I noted in another email. To test the server's configuration, I found this site: https://dane.sys4.de/ that lets me know if Postfix server DANE (along with DNSSEC and TLSA) is working as expected. So far, everything is working quite well. Thanks for the assist. (Now on to the next project....)
