> On Sep 25, 2018, at 9:29 AM, Paul Menzel <pmen...@molgen.mpg.de> wrote:
>
> We want to improve that. Unfortunately, DANE is not an option as the DFN
> does not support that,
What do you mean by "DFN does not support that"? If by "DFN" you mean
"DFN-Verein", their certificates pose no compatibility issues with DANE.
For example:
uni-wuppertal.de. IN MX 20 mail1.uni-wuppertal.de. ; NoError AD=1
uni-wuppertal.de. IN MX 20 mail2.uni-wuppertal.de. ; NoError AD=1
mail1.uni-wuppertal.de. IN A 132.195.64.21 ; NoError AD=1
mail1.uni-wuppertal.de. IN AAAA 2001:638:50a:64::21 ; NoError AD=1
_25._tcp.mail1.uni-wuppertal.de. IN TLSA 3 1 1
e5ee04ac55b2dd966f1aa0011c90d8ab8284d2dce3480c48cde7bc12feca5422 ; NoError AD=1
mail1.uni-wuppertal.de[132.195.64.21]: pass: TLSA match: depth = 0, name
= mail1.uni-wuppertal.de
mail1.uni-wuppertal.de[2001:638:50a:64::21]: pass: TLSA match: depth = 0,
name = mail1.uni-wuppertal.de
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
name = mail1.uni-wuppertal.de
depth = 0
Issuer CommonName = Uni-Wuppertal CA
Issuer Organization = Bergische Universitaet Wuppertal
notBefore = 2016-11-02T09:23:43Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = mail1.uni-wuppertal.de
Subject Organization = Bergische Universitaet Wuppertal
pkey sha256 [matched] <- 3 1 1
e5ee04ac55b2dd966f1aa0011c90d8ab8284d2dce3480c48cde7bc12feca5422
depth = 1
Issuer CommonName = DFN-Verein PCA Global - G01
Issuer Organization = DFN-Verein
notBefore = 2014-05-27T14:53:55Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = Uni-Wuppertal CA
Subject Organization = Bergische Universitaet Wuppertal
pkey sha256 [nomatch] <- 2 1 1
894aabe20c4b0f55fe31261693303f034d9d3ca12bc3042eaed12f633e1ef357
depth = 2
Issuer CommonName = Deutsche Telekom Root CA 2
Issuer Organization = Deutsche Telekom AG
notBefore = 2014-07-22T12:08:26Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = DFN-Verein PCA Global - G01
Subject Organization = DFN-Verein
pkey sha256 [nomatch] <- 2 1 1
5732fe16d00abf36f83798a0985272bfcdc60fb0812bb632c3e47a5dd4517e68
depth = 3
Issuer CommonName = Deutsche Telekom Root CA 2
Issuer Organization = Deutsche Telekom AG
notBefore = 1999-07-09T12:11:00Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = Deutsche Telekom Root CA 2
Subject Organization = Deutsche Telekom AG
pkey sha256 [nomatch] <- 2 1 1
d1de2ae61c8df2fa623966163d4c73d460bfc428e57585be6bfeb9a56323d1b6
mail2.uni-wuppertal.de. IN A 132.195.64.6 ; NoError AD=1
mail2.uni-wuppertal.de. IN AAAA 2001:638:50a:64::6 ; NoError AD=1
_25._tcp.mail2.uni-wuppertal.de. IN TLSA 3 1 1
9739ebc5261100a62c488f48162816435872abddfcd0b6735e104a4fa7a7841a ; NoError AD=1
mail2.uni-wuppertal.de[132.195.64.6]: pass: TLSA match: depth = 0, name =
mail2.uni-wuppertal.de
mail2.uni-wuppertal.de[2001:638:50a:64::6]: pass: TLSA match: depth = 0,
name = mail2.uni-wuppertal.de
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
name = mail2.uni-wuppertal.de
depth = 0
Issuer CommonName = Uni-Wuppertal CA
Issuer Organization = Bergische Universitaet Wuppertal
notBefore = 2016-11-02T09:23:45Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = mail2.uni-wuppertal.de
Subject Organization = Bergische Universitaet Wuppertal
pkey sha256 [matched] <- 3 1 1
9739ebc5261100a62c488f48162816435872abddfcd0b6735e104a4fa7a7841a
depth = 1
Issuer CommonName = DFN-Verein PCA Global - G01
Issuer Organization = DFN-Verein
notBefore = 2014-05-27T14:53:55Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = Uni-Wuppertal CA
Subject Organization = Bergische Universitaet Wuppertal
pkey sha256 [nomatch] <- 2 1 1
894aabe20c4b0f55fe31261693303f034d9d3ca12bc3042eaed12f633e1ef357
depth = 2
Issuer CommonName = Deutsche Telekom Root CA 2
Issuer Organization = Deutsche Telekom AG
notBefore = 2014-07-22T12:08:26Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = DFN-Verein PCA Global - G01
Subject Organization = DFN-Verein
pkey sha256 [nomatch] <- 2 1 1
5732fe16d00abf36f83798a0985272bfcdc60fb0812bb632c3e47a5dd4517e68
depth = 3
Issuer CommonName = Deutsche Telekom Root CA 2
Issuer Organization = Deutsche Telekom AG
notBefore = 1999-07-09T12:11:00Z
notAfter = 2019-07-09T23:59:00Z
Subject CommonName = Deutsche Telekom Root CA 2
Subject Organization = Deutsche Telekom AG
pkey sha256 [nomatch] <- 2 1 1
d1de2ae61c8df2fa623966163d4c73d460bfc428e57585be6bfeb9a56323d1b6
> and a lot of German research organizations and institutes use that for
> receiving messages.
The DANE survey finds 21 domains with DFN-Verein certificates and working
DANE. There are almost certainly some that don't have DANE TLSA records,
but they could if they wanted to. As for "soft failure" with "verify"
(or "secure"), that's not presently supported in Postfix.
--
Viktor.