> On Oct 27, 2017, at 10:29 AM, Kris Deugau wrote:
>
>> There are two prerequisites for DANE verification to happen:
>>
>> 1. Your DNS resolver in /etc/resolv.conf needs to be a *validating*
>> DNS resolver and for any meaningful security must be either on
>> the loopback interface
Viktor Dukhovni wrote:
There are two prerequisites for DANE verification to happen:
1. Your DNS resolver in /etc/resolv.conf needs to be a *validating*
DNS resolver and for any meaningful security must be either on
the loopback interface or reachable via a securely keyed IPsec
> On Oct 27, 2017, at 12:34 AM, g...@pztop.com wrote:
>
> For the DNS part (condition 1) I run a local bind DNS server. The named.conf
> have lines:
>
> forward only;
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
>
> dnssec-enable yes;
> dnssec-validation yes;
Personally, I would not cho
On 2017-10-26 17:02, Viktor Dukhovni wrote:
>> On Oct 26, 2017, at 5:08 PM, Gao wrote:
>>
>> I am trying to setup dane on my mail server.
>
> Thanks for been an early adopter. Your enthusiasm is appreciated.
> Don't forget to *monitor* your deployment, by periodically (at
> least daily) che
> On Oct 26, 2017, at 5:08 PM, Gao wrote:
>
> I am trying to setup dane on my mail server.
Thanks for been an early adopter. Your enthusiasm is appreciated.
Don't forget to *monitor* your deployment, by periodically (at
least daily) checking that your DNSSEC is working and your
SMTP server ce
On 2017-10-26 02:58 PM, Christian Kivalo wrote:
Am 26. Oktober 2017 23:08:16 MESZ schrieb Gao :
Hi,
I am trying to setup dane on my mail server. But I never seen a
"Verified TLS connection..." in the log. I always got:
Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
establi
Am 26. Oktober 2017 23:08:16 MESZ schrieb Gao :
>Hi,
>
>I am trying to setup dane on my mail server. But I never seen a
>"Verified TLS connection..." in the log. I always got:
>Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
>established to gmail-smtp-in.l.google.com[74.125.12
Hi,
I am trying to setup dane on my mail server. But I never seen a
"Verified TLS connection..." in the log. I always got:
Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA
