Recently I have been struggling with configuring DANE and DNSSEC for a domain, for which my DNS is authoritative.
Software Linux Fedora 28 BIND 9.12.3 Postfix 3.3.1 smtp_tls_dane_insecure_mx_policy = dane smtp_tls_security_level = dane tls_dane_digest_agility = on tls_dane_digests = sha512 sha256 tls_dane_trust_anchor_digest_enable = yes smtp_dns_support_level = dnssec smtp_host_lookup = native, dns DNSSEC is not the problem, but there are issues in setting up DANE in postfix, hvis could be improved 1) logging More informative logging of what is happening, when smtp is trying to establish a TLS connection using dane e.g. on dns lookups, TLSA lookups and the results Better documentation of what is actually meant by these messages: Anonymous TLS connection established Trusted TLS connection established Verified TLS connection established 2) problem with no ad flag when the resolver is querying an authoritative DNS In this case Postfix is running on the same server as the authoritative server and using it as a recursive resolver. I had to change the resolv.conf file to an external DNS, but for various reasons this will not work properly in all cases. This issue should be solved, and at least be mentioned in the documentation for DANE, as it can be a showstopper. 3) TLS SNI The documentation states, that there are no plans to implement SNI in the Postfix SMTP server. Is this still valid? >From my recent experience I can see, that other mailservers do implement it. With the easy certificates obtainable from LetsEncrypt and many virtual host on the same server, it may be time to reevaluate this policy. Also to eliminate single points of failure. - Jørgen Thomsen