Dear Viktor, Thank you for your (as usual!) most helpful response below, which was much appreciated.
On Thu, 27 May 2021 11:57:41 -0400, Viktor Dukhovni wrote:- >On Thu, May 27, 2021 at 04:48:15PM +0100, Matthew Richardson wrote: > >> I am trying to work out the correct incantation in order to specify for a >> given outgoing domain that:- >> >> * TLS is mandatory, the message is not sent unencrypted; and >> * if DANE is present AND if it fails to match, the message is not sent > >I'm afraid that's not currently possible. You can mandate DANE via a >setting of "dane-only" or opportunistically use DANE via "dane", which >in the absence of TLSA records defaults to opportunistic TLS, which may >in turn send in the clear when TLSA records are determined to be absent. Just to clarify, will a selection of "encrypt" disable any DANE checking? >> The problem (if I am reading it correctly!) is that "dane" falls back only >> to "may" if there are no TLSA records. > >That's right, we'd need a new dane-or-encrypt level, or a more complex >policy specification syntax which supports "fallback" levels when a >non-deterministic level such as DANE does not find its pre-requisites to >be available. Where does one go to make a formal feature request for this please? By default, my servers run:- smtp_tls_security_level = dane smtp_tls_note_starttls_offer = yes smtp_tls_loglevel = 1 smtp_dns_support_level = dnssec and I am wanting to enhance this for certain specific domains to require mandatory encryption, without neutering DANE if present. Thus, the suggestion of an additional "dane-or-encrypt" level seems like a very good idea! Best wishes, Matthew
