On Thu, Aug 05, 2021 at 04:48:07PM +0200, Matteo Cazzador wrote:
> I use a local domain "*example.local*" i want to exclude it from dane
> check because i obtain this error:
>
> warning: DANE TLSA lookup problem: Host or domain name not found. Name
> service error for name=_*25._tcp.example.local *type=TLSA: Host not
> found, try again
Your resolver apparently returns AD=1 for example.local. [Is the
domain actually signed, or is the resolver setting AD=1 for all
authoritative data?]
If the resolver behaviour is configurable, you could add a "negative
trust anchor, a.k.a. NTA) for example.local that would cause the zone to
be treated as unsigned (AD=0). That said, I have considered, but not
yet implemented by default treating the AA (authoritative answer) bit as
equivalent to AD, and generally if a resolver is authoritative for a
domain, it will always return AA=1.
Therefore, your next choice is:
On Thu, Aug 05, 2021 at 11:00:30AM -0400, Wietse Venema wrote:
> You can specify a different policy for example.local with
> smtp_tls_policy_maps.
On Thu, Aug 05, 2021 at 05:03:03PM +0200, Matteo Cazzador wrote:
> Thank's, something like ?
>
> /etc/postfix/main.cf:
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> /etc/postfix/tls_policy:
> example.local none
I'd go with "may" (or "secure" if you'd prefer to use WebPKI to validate
the certificates), rather than "none".
--
Viktor.
