On Wed, Aug 12, 2020 at 07:58:56AM +0200, Benny Pedersen wrote:
> in my own main.cf i added
>
> smtp_tls_dane_insecure_mx_policy = may
Yes, that will enable you to send mail to the roundcube list.
> Should postfix default be changed to
>
> smtp_tls_dane_insecure_mx_policy = dane_only
Definitely not. The dane_only policy is ONLY for business partner
domains where you have a contractual or similar bilateral expectation
that DANE will be supported.
Given "smtp_tls_security_level = dane", the default value "dane" of
smtp_tls_dane_insecure_mx_policya will also enforce DANE for DANE-enabled
MX hosts of unsigned domains. The "may" work-around disables this,
using unauthenticated opportunistic TLS instead. You could also use
a less blunt tool, and set a temporary custom "may" TLS policy for
lists.roundcube.net in your smtp_tls_policy_maps.
Another option is to add (and later not forget to remove) what DNS
operators call an NTA (negative trust anchor) for kolabsys.com in
your DNS resolver, marking the domain artificially "insecure".
> lets hope kolapsys.com reads postfix maillists
Or perhaps they'll see my second notice.
--
Viktor.
