On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote: > Looking at [1] it's not clear to me whether it's possible to require MX RRs of > a recipient domain to be DNSSEC signed. Any other configuration option for > that?
Postfix, at present, does not support requiring a DNSSEC-signed MX RRset, except as part of a "dane-only" security level, which also requires that the A/AAAA records of at least one MX host are signed and that MX host has correct TLSA records. > [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps Policy requiring DNSSEC signed MX RRsets could well apply even for domains with which TLS is not used, this is not directly related to TLS authentication. Of course such a policy might allow the "verify" security level to apply Web PKI PKIX authentication to a verifed MX host name. Still if the domain ever does change their MX records, you might well find that the peer certificate is now self-signed, or no longer matches the MX hostname, ... So this would have to be used with care. I gather you're looking for something like: example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes where "dnssec=yes" would be a new policy option, that requires a "secure" MX RRset, or "secure" absence of an MX host. -- Viktor.
