Hi! For the next release (3.10), I‘d like to propose that unknown tags returned by TLS policy socketmap servers are logged as warnings, but never regarded as an invalid policy. This would avoid delivery errors introduced by future additions, when an older Postfix version doesn‘t support a tag yet.
For example:
dane-only match=…
Should warn about match= not being supported by the current version, but
shouldn‘t result in a fatal error.
———
Another proposal (for Postfix 3.11+) would be the addition of a new security
level: dane-or-encrypt
It should try Opportunistic DANE first and fall back to encrypt
(Unauthenticated TLS) at worst, but never to plaintext.
More complex/granular instructions could be considered too, like:
dane-only or={ secure match=… policy_string = { … } }
For handling mixed up MX records, of which a part (primary MX) supports DANE
and the other ones (backups) support MTA-STS only. These are very unusual
setups though. But it would be still implementable.
Best regards
Ömer
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
