On Mon, Jan 10, 2022 at 12:54:46PM +0100, Joachim Lindenberg wrote:
> German data protection authorities level define kind of four
> compliance levels for email encryption
>
> 0 - no encryption and thus definitely illegal
> 1 - encryption (not clearly specified whether certs need to be validated)
> 2 - DNSSEC + cert validation or manual trust establishment
> 3 - PGP or S/MIME - which imho is neither practical nor more secure
>
> I want to support 2 but not block other communication (could of course
> set up a second email server with a different domain but don´t really
> want to).
So you're looking for DANE or else "verify" conditional on DNSSEC,
that's not a feature of Postfix, and many DNSSEC-signed domains have
neither DANE, nor certificates that verify. Will you be making manual
exceptions for them all? Yes, many happen to have MX host with working
WebPKI certs that match the MX hostname, but there is no way to know
a priori where you can expect/rely on this...
> Unfortunately there is no option to trigger "verify" with DNSSEC and
> DANE is even less adopted than DNSSEC. I am in fact wondering whether
> I could just check the queue for cert issues, do a DNSSEC test, and if
> that fails put the domain on encrypt only via some API (sql
> update?)... Thanks, Joachim
Note that ~18% of DNSSEC-signed domains have DANE, which is pretty good
IMHO, and I hope will get better over time.
You're rather impatient, improvements in core Internet infrastructure
take decades, my advice is to live with the Internet we have, and
be more patient about things we'd like to have, but can't yet.
--
Viktor.
