raf via Postfix-users <postfix-users@postfix.org> writes: > On Thu, May 11, 2023 at 03:17:21PM +0900, Byung-Hee HWANG via Postfix-users > <postfix-users@postfix.org> wrote: > >> Hellow Postfix hackers, >> >> I have a questions while reading DANE docs. Is DNSSEC mandotary? For >> making DANE mail server. >> >> For now i'm running two postfix servers in public. Actually i'm beginner >> in both DANE and DNSSEC. >> >> Any comments welcome! >> >> Sincerely, Byung-Hee > > Hi Byung-Hee, > > As others have said, if you want incoming DANE, you need DNSSEC. > Bind9 makes it incredibly easy to enable DNSSEC. It's literally > two extra lines in your configuration (unless you get fancy with > automatic expiry and rollover - and that's easy too), plus you > need to supply some information to your domain registrar for them > to put into their servers. If your domain registrar doesn't support > DNSSEC, or doesn't make it easy, find one that does. You'll need > to interact with them every time you rollover your DNSSEC keys > (e.g., maybe annually).
Thank you! I'll regard it, step by step. > As for the TLSA records you need to create for your mail servers, > I recommend my "danectl" program which can generate TLSA records > for you to publish in the DNS, and you can use it to monitor that > they have been published. Recent versions include a couple of adapters > to help publish the TLSA records in the DNS, but only if you edit your > own bind9 zone files or use nsupdate for a dynamic zone. A big > prerequisite of danectl is certbot to handle the actual key/certificate > generation. danectl doesn't work with any other ACME client. Yes i did check it danectl by Googling, thanks! > There are technically many ways to do TLSA DANE but only one great > way (TLSA 3 1 1 current + next) which is what danectl supports. > The idea is to always have two keys/certificates and their corresponding > TLSA records available for use all the time: the current one, and the > next one. Whenever you want to rollover your key, you can immediately > switch to the next one which is already published in the DNS and > ready to go while you prepare the new next key/certificate and its > corresponding TLSA record (for the next rollover). This ensures that > every rollover works seamlessly because you never have the situation > where things aren't working while your TLSA records are propagating > around the DNS because they were published well before they were > required. > > Here are some wikis that might help: > > https://github.com/baknu/DANE-for-SMTP/wiki > https://github.com/internetstandards/toolbox-wiki > > cheers, Thanks raf! At above wiki, i found EMSP guide line in Germany. Because my mail server (yw-1204.doraji.xyz) is located in Frankfurt, Germany. All docs and comments are useful for me. Thanks again raf! Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))// _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
