On Thu, Jan 16, 2014 at 10:58:16AM -0500, Warren Kumari wrote:
> Hopefully they will manage to get this done in January -- once that is
> done, adding the TLSA record (and updating the documentation!) should
> be (hopefully) quick and easy...
>
> 220 ietfa.amsl.com ESMTP Postfix
> EHLO example.com
> 250-ietfa.amsl.com
> 250-PIPELINING
> 250-SIZE 67108864
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
Recommended reading for AMSL:
http://www.postfix.org/TLS_README.html#server_tls
http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
Postfix 2.11.0 has been released. If they are in a position to
build their own package, they should consider going with that.
Otherwise, they can upgrade at a later date, when their O/S vendor
makes an updated package available.
With 2.11 they get TLS session ticket support in the Postfix
SMTP server and DANE support in the Postfix SMTP client.
Best-practice configuration:
Postfix configured for opportunistic TLS or opportunistic DANE TLS
if >= 2.11.0:
/etc/postfix/main.cf:
# Server TLS
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pem
smtpd_tls_key_file = ${config_directory}/smtpd-key.pem
smtpd_tls_dh1024_param_file ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file ${config_directory}/dh512.pem
# Client TLS: Postfix < 2.11
smtp_tls_security_level = may
smtpd_tls_loglevel = 1
# In most cases do not configure a client certificate
smtp_tls_cert_file =
smtp_tls_key_file =
# Client TLS additions/changes for Postfix >= 2.11
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
For DANE security, a DNSSEC-validating recursive resolver is required
on the MTA machine, as the sole entry in:
/etc/resolv.conf:
domain amsl.com
nameserver 127.0.0.1
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
