On Thu, Jul 06, 2017 at 07:37:47PM +0200, Paul Menzel wrote: > There are several SMTP servers, where messages should only be sent over a > secure channel. But, the postmasters have set up the servers differently. > Some use CAs to sign their certificates and some DANE with self-signed > certificates. > > To avoid maintaining two TLS policies, one where for > `smtp_tls_security_level` the value `secure` is specified, and another with > `dane-only` [1], and keeping an eye out, when SMTP switch to or from DANE, > is there a way to maintain one list? So if no DANE records are published, it > falls back to secure certificate verification? > > Like `dane` falls back to `may`?
Wietse and I have discussed something along these lines some time back, but nothing of that sort has as yet been implemented. -- Viktor.