On Mon, Mar 18, 2013 at 03:18:20AM +0000, Viktor Dukhovni wrote:
> If anyone wants to volunteer to test the code, drop me a note, I'll
> send you a pointer to the patched release (documentation in
> <html/TLS_README.html#client_tls_dane>).
This is now available as a nonprod snapshot via the postfix.org mirrors
listed at:
http://www.postfix.org/download.html
e.g.:
http://cdn.postfix.johnriley.me/mirrors/postfix-release/experimental/postfix-2.11-20130426-nonprod.tar.gz
The "nonprod" suffix means that the code has not been fully reviewed,
this will take a number of weeks.
Online docs for the snapshot are at:
http://vdukhovni.github.io/postfix/
once this is a regular snapshot, the documentation will be at
http://www.postfix.org/documentation.html
Feedback appreciated on:
http://vdukhovni.github.io/postfix/TLS_README.html#server_cert_key
http://vdukhovni.github.io/postfix/TLS_README.html#client_tls_dane
If in the mean-time any one turns on more DNSSEC domains and
publishes TLSA RRs for the domain's MX hosts, please drop me a
note.
Recommendation is to publish either "2 1 1" (and of course include
the TA cert in the server's TLS trust chain) or "3 1 1". Feel free
to publish "3 1 1" for both RSA and ECDSA certs (Postfix MTAs can
be configured with both).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
