Ever since I got that automated e-mail telling me my
1 0 1 hash
LSA record was not usable, I have been confused, because that conformed
to the DANE / TLSA RFC.
I suggested that maybe SMTP servers, which are only doing hostname
validation and can't be expected to CA validate, should treat a 1 x x as
a 3 x x and was basically shot down for suggesting that.
But now reading the Postfix documention that seems to be exactly what it
suggests:
http://www.postfix.org/TLS_README.html#client_tls_dane
``TLSA records with usage "1" are instead treated as "trust assertions"
and mapped to usage "3". Specifically, with certificate usage "1",
Postfix will not require the remote SMTP server's certificate to be
trusted with respect to any locally defined public CAs''
That's what makes sense to me.
I have since changed my _25._tcp tlsa record to use
3 0 1 hash
But now reading the postfix documentation it seems that isn't necessary.
Is it necessary or isn't?
And please don't suggest I leave for a month, I am just trying to
understand.
I like things KISS and DANE seems to no longer be KISS with TLSA record
specification varying dependent upon the port.
And now it seems the Postfix docs are in contrast with the draft.
Thank you to anyone who can help me understand what is really going on.
