On 25/01/16 18:29, Viktor Dukhovni wrote:
On Jan 25, 2016, at 12:09 PM, Jan Zorz - Go6 <j...@go6.si> wrote: Maybe this could be implemented in postfix and instead of saying "Verified TLS connection" in log we figure out some other description. At the end, DANE should be an endpoint verification mechanism, not delegation verification. Well, it could also be, but I think we need to use it in both cases.postfix-3.1-20160103/HISTORY: 20160103 Feature: enable DANE policies when an MX host has a secure TLSA DNS record, even if the MX DNS record was obtained with insecure lookups. The existence of a secure TLSA record implies that the host wants to talk TLS and not plaintext. This behavior is controlled with smtp_tls_dane_insecure_mx_policy (default: "dane", other settings: "encrypt" and "may"; the latter is backwards-compatible with earlier Postfix releases). Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto, src/global/mail_params.h, src/posttls-finger/posttls-finger.c, src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.
Wow, brilliant, thnx! I see Wes already spoke to you, then ;) Cheers and thnx, Jan
