On Tue, Feb 25, 2014 at 09:57:13AM +0100, Dirk St?cker wrote:
> smtp_dns_support_level = dnssec
>
> was enough to fix this. I'll see how many servers will have a
> "Verified" connection in the future.
I hope you read the note about the importance of having 127.0.0.1
and/or ::1 as the only nameservers listed in /etc/resolv.conf, and
of course the local recursive resolver needs to be configured to
do DNSSEC validation.
With that in place, and with:
smtp_tls_security_level = dane
you'll be able to send validated email to debian.org, nlnetlabs.nl
(the unbound maintainers), Patrick Koetter and personal domains of
some of the members of the DANE working group.
Today, adoption is at 0.00%, but I'm hoping to see the needle start
moving this year.
--
Viktor.
