John skrev den 2013-12-14 15:24:
An excellent idea, particularly as you are talking to the dumbest bit
of the horse at the moment.
if its dumbest its a donkey, not a horse :)
On Sat, Dec 14, 2013 at 04:16:08PM -0500, John wrote:
> Yes, unfortunately my .ca Registrar is not currently capable of
> handling DS or DNSKEY records so I am using the ISC dlv, It works
> for most things, but I assume from your comment that TLSA will
> require records at the .ca root. I have the
On 14/12/2013 1:30 PM, Viktor Dukhovni wrote:
On Sat, Dec 14, 2013 at 12:44:49PM -0500, John Allen wrote:
Just a thought, maybe there is a more appropriate forum/mail list to
discuss this on, as this is not strictly Postfix related?
It is fine to ask here, Postfix is the first real applicatio
On Sat, Dec 14, 2013 at 02:35:15PM -0600, /dev/rob0 wrote:
> > The trick is to find tools that make operating a DNSSEC zone
> > relatively painless. You get security, but it easier to mess
> > up leaving the zone with stale signatures and thus essentially
> > invisible to all DNSSEC-aware clients
On Sat, Dec 14, 2013 at 05:26:01AM +, Viktor Dukhovni wrote:
> On Sat, Dec 14, 2013 at 12:04:15AM -0500, John Allen wrote:
> > > The main difficulty with server-side DANE is that your zone
> > > must be DNSSEC signed. Deployment of DNSSEC is still fairly
> > > thin. With a bit of luck DANE m
On Sat, Dec 14, 2013 at 12:44:49PM -0500, John Allen wrote:
> >>Just a thought, maybe there is a more appropriate forum/mail list to
> >>discuss this on, as this is not strictly Postfix related?
> >
> >It is fine to ask here, Postfix is the first real application to
> >support DANE TLSA.
>
> Thank
On Sat, Dec 14, 2013 at 08:31:10AM -0500, John wrote:
DANE TLSA records allow sites to independently create leaf and CA
certificates after first registering their DNSSEC key-signing-keys
with their DNS registrar. So in effect you do have a CA, but it
is your DNS registrar and they effectively m
Am 14.12.2013 16:19, schrieb Danil Smirnov:
> Joni, thank you very much!
>
> Now I've found several RPMs but I don't know their creators - so they
> are very unsecure for me... May by you can point me to some official
> source for such RPMs?
>
> Another option is to build postfix from sources..
On Sat, Dec 14, 2013 at 08:31:10AM -0500, John wrote:
> >DANE TLSA records allow sites to independently create leaf and CA
> >certificates after first registering their DNSSEC key-signing-keys
> >with their DNS registrar. So in effect you do have a CA, but it
> >is your DNS registrar and they eff
Joni, thank you very much!
Now I've found several RPMs but I don't know their creators - so they
are very unsecure for me... May by you can point me to some official
source for such RPMs?
Another option is to build postfix from sources...
Are there any trusted repository for the new postfix vers
On 14 Dec 2013, at 15:41, Danil Smirnov wrote:
> From the version 2.7 we've got fantastic new feature -
> sender_dependent_default_transport_maps which "allow sending mail with
> source IP addresses that depend on the envelope sender".
>
> This option is very useful for defining reverse dns para
Hi dear postfix users!
>From the version 2.7 we've got fantastic new feature -
sender_dependent_default_transport_maps which "allow sending mail with
source IP addresses that depend on the envelope sender".
This option is very useful for defining reverse dns parameter for each
ip to let mail from
On 14/12/2013 8:37 AM, Wietse Venema wrote:
.
Does this do anything to solve "Man in the middle" who presents an
apparently valid cert (usually generated on the fly)? Because I thought
the only way to detect this was to compare the finger print of the key
presented with the know finger print.
John:
> > - DNSSEC: a man-in-the-middle hardened means of publishing DNS data.
> >
> > - DANE: an IETF working group to develop standards for using DNSSEC
> >to publish authentication information (public keys and the like)
> >that binds DNS names to corresponding credentia
On 14/12/2013 12:26 AM, Viktor Dukhovni wrote:
On Sat, Dec 14, 2013 at 12:04:15AM -0500, John Allen wrote:
The main difficulty with server-side DANE is that your zone
must be DNSSEC signed. Deployment of DNSSEC is still fairly thin.
With a bit of luck DANE might motivate folks
15 matches
Mail list logo
