> On Jan 25, 2016, at 12:09 PM, Jan Zorz - Go6 <j...@go6.si> wrote:
>
> Maybe this could be implemented in postfix and instead of saying "Verified
> TLS connection" in log we figure out some other description. At the end, DANE
> should be an endpoint verification mechanism, not delegation verification.
> Well, it could also be, but I think we need to use it in both cases.
postfix-3.1-20160103/HISTORY:
20160103
Feature: enable DANE policies when an MX host has a secure
TLSA DNS record, even if the MX DNS record was obtained
with insecure lookups. The existence of a secure TLSA record
implies that the host wants to talk TLS and not plaintext.
This behavior is controlled with smtp_tls_dane_insecure_mx_policy
(default: "dane", other settings: "encrypt" and "may"; the
latter is backwards-compatible with earlier Postfix releases).
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.
--
Viktor.
