On Thu, May 27, 2021 at 04:48:15PM +0100, Matthew Richardson wrote:
> I am trying to work out the correct incantation in order to specify for a
> given outgoing domain that:-
>
> * TLS is mandatory, the message is not sent unencrypted; and
> * if DANE is present AND if it fails to match, the message is not sent
I'm afraid that's not currently possible. You can mandate DANE via a
setting of "dane-only" or opportunistically use DANE via "dane", which
in the absence of TLSA records defaults to opportunistic TLS, which may
in turn send in the clear when TLSA records are determined to be absent.
> The problem (if I am reading it correctly!) is that "dane" falls back only
> to "may" if there are no TLSA records.
That's right, we'd need a new dane-or-encrypt level, or a more complex
policy specification syntax which supports "fallback" levels when a
non-deterministic level such as DANE does not find its pre-requisites to
be available.
--
Viktor.
