> On Aug 14, 2018, at 11:53 PM, Viktor Dukhovni <postfix-us...@dukhovni.org>
> wrote:
>
> DANE is ready for adoption, with multiple fielded implementations and many
> (312 thousand inbound plus some large ones still outbound only) live domains.
>
> Outbound DANE is simple. Make sure you have a DNSSEC-validating resolver
> running locally on the MTA (it can forward queries to an upstream cache
> if you like), and set:
>
> main.cf:
> smtp_tls_security_level = dane
> smtp_dns_support_level = dnssec
One more thing I forgot to mention, should you be unlucky enough to run into
a domain whose TLSA records don't match reality, double-check this against:
https://github.com/danefail/list
where some of some us keep track of a small number of domains with operational
difficulties. If already listed, consider exempting from DANE on your end
with a policy table entry:
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtp_tls_policy_maps = ${indexed}tls-policy
tls-policy:
# Operator error: not DANE-capable:
example.com may
If not yet listed, and not fixed promptly even after notifying the
domain holder, postmaster, ... open an issue to have it added.
Another way to get past such problems, is to disable DNSSEC for
the MX-host domain via a suitable resolver configuration directive.
For example in "unbound.conf":
server:
domain-insecure: "example.com"
This may need to be set for the containing zone, I don't recall
whether the option is valid for names not at the zone apex.
--
Viktor.
