> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Eivind Olsen > Sent: Monday, February 23, 2015 3:33 PM > To: [email protected] > Subject: RE: Postfix DANE support for Certificate Usage = 0/1? > > Den 2015-02-24 00:23, skrev Kevin San Diego: > > model. For the types of customers who already have to have public > > CA-cert validated SMTP communications (and associated accept on > > validation success/drop on validation failure policy set up with > > critical partners), the currently deployed field of MTAs which don't > > yet have SMTP client support for DANE at the won't be able to validate > > the TLS session if a DANE EE cert is used in lieu. Given that MX > > records point to a specific host or set of hosts on a per domain > > basis, I presently don't see how an organization could simultaneously > > support both traditional CA-cert validated TLS connections and TLSA > > (mode 2/3) validated TLS connections. Receiving SMTP servers can > > typically only be configured with a single server certificate per > > IP/port binding. > > This was the bit that got me really confused as well. If I understand it > correctly, you can still use mode 2/3 on a CA-signed certificate, you're > just telling DANE-capable clients that they're not supposed to validate > the certificate against the PKIX infrastructure. Non-DANE-capable > clients will still do their normal thing when they see the certificate > in their SSL/TLS sessions.
Ah okay, that sounds like the bit of the puzzle I was missing. Time to do some testing! Sincerely, Kevin San Diego
