Viktor Dukhovni via Postfix-users:
> On Sat, Feb 08, 2025 at 05:28:31PM +0100, ?mer G?ven via Postfix-users wrote:
>
> > RFC 7672 says that Opportunistic DANE (security level ?dane?, but not
> > ?dane-only?) may accept non-DNSSEC derived MX records be eligible for
> > DANE on the DNSSEC-signed (e. g. external) SMTP server.
> >
> > RFC 7672 Section 2.2.1:
>
> The primary author of RFC 7672 was also the implementor of DANE support
> in Postfix (and later OpenSSL), with the implementation developed in
> parallel with the specification. Unsurprisingly, the Postfix
> implementation matches the specification.
>
> > This currently isn't the case. Even if a socketmap server returns
> > 'dane' Postfix doesn't choose DANE when the MX is retrieved with no
> > DNSSEC signature.
>
> This is not true. See:
>
> http://www.postfix.org/postconf.5.html#smtp_tls_dane_insecure_mx_policy
The default for this is:
smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ?
{dane} : {may}}
I have one question:
- Should this expression use the security level from
main.cf:smtp_tls_security_level?
- Or should it use the actual security level after policy lookup?
If the latter, then some code will need to be moved.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
