Wietse Venema: > Viktor Dukhovni: > > On Mon, Feb 13, 2023 at 07:33:35PM -0500, Wietse Venema wrote: > > > > > There's a first implementation in postfix-3.8-20230213-nonprod. > > > Docs: https://www.postfix.org/postconf.5.html#use_srv_lookup > > > Code: http://ftp.porcupine.org/mirrors/postfix-release/index.html#non-prod > > > > > > To see all SRV related changes, diff the code against > > > postfix-3.8-20230213. > > > Code: > > > http://ftp.porcupine.org/mirrors/postfix-release/index.html#experimental > > > > How does this interact with DANE? If the SRV RRset is DNSSEC-signed, do > > we get TLSA lookups for _<port>._tcp.<target> (possibly after secure > > end-to-end CNAME expansion), just as with MX lookups? > > The SRV lookup code is almost identical to the MX lookup code; it > returns the same mxrr value with rname and qname values. > > SMTP_ITERATOR.port is updated with SRV port information, so that > > dane = tls_dane_resolve(iter->port, "tcp", iter->rr, > var_smtp_tls_force_tlsa) > > will use the correct remote port.
While we're on the topic of DANE, is there any reason why TLSA info is never looked up for destinations specified as [domain-name]? Wietse