Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>:
Until now, most DANE deployments have been on small hobbyist
machines, by people who mostly don't correspond with each other.
So if a particular domain's TLSA RRs were broken, nobody noticed.
This is about to change. The German email providers web.de and
gmx.de have announced upcoming DANE support (by the end of this
year). What this means for the hobbyist early adopters is that
forgetting/failing to do key/cert rollover correctly will soon
lead to lost mail. See:
https://dane.sys4.de/common_mistakes#3
https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-8.1
https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-8.4
If you don't create README files in your certificate directory,
add comments to Postfix configuration files, or otherwise create
reminders for yourself to not forget to do it right, perhaps DANE
is not right for you. "Deploy and forget" does not work for TLSA
records if you ever change your certificate or public key.
As security is never "Deploy and forget" this should be obvious, no? DANE will uncover sloppiness which was until now tolerated by SMTP, but this is a good thing IMHO.
My proove will be on 24.09.2015, we will see if it fails ;-) Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
