On Fri, Oct 13, 2017 at 04:53:57AM +0000, Mal wrote: > Wondering if Postfix logs any DANE operations?
With DANE turned on, when you send email to a destination with DNSSEC and correctly configured TLSA records, the delivery is logged as "Verified" at smtp_tls_loglevel=1. Barring any explicit tls policies for some special domains, anything that is logged as "Verified" used DANE to do reach that state. > smtp_use_tls = yes > smtp_tls_security_level = dane > smtp_dns_support_level = dnssec > > MTA hostnames pass various online SMTP TLS checkers > (like https://www.huque.com/bin/danecheck ). While it is good to enable DANE TLSA records for your own MTA, so that *other* domains can send you email securely, this has nothing to do with how your own outbound mail is logged. In the inbound direction the receiving MTA is passive, and does not know how or whether the sending MTA verified its certificate. Some better-known DANE domains, that you might encounter in your logs, if you happen to correspond with any of those: gmx.at nic.br registro.br gmx.ch open.ch switch.ch gmx.com mail.com solvinity.com t-2.com trashmail.com bayern.de bund.de freenet.de gmx.de jpberlin.de lrz.de mail.de posteo.de ruhr-uni-bochum.de tum.de uni-erlangen.de unitybox.de unitymedia.de web.de tilburguniversity.edu gmx.net t-2.net xs4all.net asp4all.nl bhosted.nl bit.nl otvi.nl uvt.nl xs4all.nl domeneshop.no debian.org freebsd.org gentoo.org ietf.org isc.org lazarus-ide.org netbsd.org openssl.org samba.org torproject.org t-2.si mail.co.uk govtrack.us -- Viktor.
