[shameless plug ahead]
On 17 jan. 2014, at 01:04, Viktor Dukhovni <[email protected]> wrote: > /etc/postfix/main.cf: > # Server TLS > smtpd_tls_security_level = may > smtpd_tls_loglevel = 1 > smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pem > smtpd_tls_key_file = ${config_directory}/smtpd-key.pem > smtpd_tls_dh1024_param_file ${config_directory}/dh2048.pem > smtpd_tls_dh512_param_file ${config_directory}/dh512.pem Of course one should publish the TLSA RR once the server bit has been configured. Easy generation: ldns-dane -c ${config_directory}/smtpd-chain.pem create <mx.example.com> 25 domain-issued full e.g. $ ldns-dane -c /usr/local/etc/postfix/postfix-cert.pem create mx.secret-wg.org 25 domain-issued full _25._tcp.mx.secret-wg.org. 3600 IN TLSA 3 0 1 3830c1286a6e1982d76b08ad04d681b5d870d8ad4374821b778b6aab462da96c See http://www.nlnetlabs.nl/projects/ldns/ for ldns-dane (lives in most repos) —Olaf
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
