Hey Byung-Hee! * Byung-Hee HWANG via Postfix-users <soyeo...@doraji.xyz>: > Hellow Postfix hackers, > > I have a questions while reading DANE docs. Is DNSSEC mandotary? For > making DANE mail server. > > For now i'm running two postfix servers in public. Actually i'm beginner > in both DANE and DNSSEC.
you need DNSSEC enable your DNS zone for DANE *if* you want to offer DANE on your inbound side because those who want to send to your mailserver will need DNSSEC security to ensure their server will communicate with the right server (read: your server). You don't need DNSSEC for your DNS zone *if* your server should DANE-verify other DANE enabled receiver platforms. In this case all you need to do is run a DNSSEC-verifying DNS resolver on your server (not systemd-resolved) and configure Postfix to use DANE when it sends messages: smtp_dns_support_level = dnssec smtp_tls_security_level = dane smtp_tls_loglevel = 1 I do recommend to enable at least DANE on the outbound side to let your users participate from the higher level of security. p@rick P.S. See also: https://blog.sys4.de/blog/outbound-dane/, which I've written in German. -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
