Viktor Dukhovni wrote: > On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote: > >> Looking at [1] it's not clear to me whether it's possible to require MX RRs >> of >> a recipient domain to be DNSSEC signed. Any other configuration option for >> that? > > Postfix, at present, does not support requiring a DNSSEC-signed MX > RRset, except as part of a "dane-only" security level, which also > requires that the A/AAAA records of at least one MX host are signed > and that MX host has correct TLSA records.
Maybe there should be some additional text for 'dane-only' in [1]? I'm not sure about the correct wording though. >> [1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps > > Policy requiring DNSSEC signed MX RRsets could well apply even for > domains with which TLS is not used, this is not directly related > to TLS authentication. Agreed. > Of course such a policy might allow the "verify" security level to > apply Web PKI PKIX authentication to a verifed MX host name. Still > if the domain ever does change their MX records, you might well > find that the peer certificate is now self-signed, or no longer > matches the MX hostname, ... So this would have to be used with care. I make use of TLS policy and it works quite well. Of course the policy options are chosen carefully depending on how reliable the information about the particular target domains are. > I gather you're looking for something like: > > example.com secure match=nexthop:dot-nexthop:hostname dnssec=yes > > where "dnssec=yes" would be a new policy option, that requires a > "secure" MX RRset, or "secure" absence of an MX host. Yes. :-) Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
