>So you're looking for DANE or else "verify" conditional on DNSSEC, that's not >a feature of Postfix, and many DNSSEC-signed domains have neither DANE, nor >certificates that verify. >Will you be making manual exceptions for them all? Yes, many happen to have >MX host with working WebPKI certs that match the MX hostname, but there is no >way to know a priori where you can expect/rely on this... Actually I am really considering a small script that looks at the queue and adds rules on the fly. Any guidance or help definitely appreciated. And if that works out one might consider a new configuration option. Right now I am adding exceptions manually, tedious of course. The pattern is like: (Server certificate not verified) -> "encrypt" instead default "verify" (I am not checking DNSSEC manually yet, and if I would then probably for statistics only) (TLS is required, but was not offered...) -> "may" instead of "verify" In fact I complained to the organization that had no TLS for violating data protection regulation.
>Note that ~18% of DNSSEC-signed domains have DANE, which is pretty good IMHO, >and I hope will get better over time. The real problem is less than 2% DNSSEC in Germany (.de only. I am in the minority with my de out of a total of three domains supporting). >You're rather impatient, improvements in core Internet infrastructure take >decades, my advice is to live with the Internet we have, and be more patient >about things we'd like to have, but can't yet. I am in the industry for four decades, and sometimes I advocate change 😉 Cheers, Joachim
