> On Nov 15, 2018, at 10:32 AM, J. Thomsen <l...@jth.net> wrote: > > 1) logging > > More informative logging of what is happening, when smtp is trying to > establish a TLS connection > using dane e.g. on dns lookups, TLSA lookups and the results
Please be more specific. What exactly would you like to see logged, perhaps with a suggested format. See the posttls-finger(1) manpage, do any of the fine-grained (-L logopts) logging features there do what you need? http://www.postfix.org/posttls-finger.1.html > Better documentation of what is actually meant by these messages: > > Anonymous TLS connection established > Trusted TLS connection established > Verified TLS connection established http://www.postfix.org/FORWARD_SECRECY_README.html#status > 2) problem with no ad flag when the resolver is querying an authoritative DNS > > In this case Postfix is running on the same server as the authoritative > server and using it as a > recursive resolver. I had to change the resolv.conf file to an external DNS, > but for various reasons > this will not work properly in all cases. The simplest advice is split the authoritative and recursive services. I have authoritative servicing the machine's public IP, and the recursive servicing only 127.0.0.1 and ::1. Separating authoritative and recursive services is good for many reasons, not just Postfix's use of the AD bit. > This issue should be solved, and at least be mentioned in the documentation > for DANE, as it can be a showstopper. Yes, a comprehensive DANE_README document is needed. > 3) TLS SNI > > The documentation states, that there are no plans to implement SNI in the > Postfix > SMTP server. Is this still valid? No, SNI support is under development. -- Viktor.