>As Jeremy already pointed out, DANE is about receiving, giving the the sender >a chance to check the recipient's server. If Mailcow suggests you to use >TLSA records, your question is probably about services that would use >these records to avoid sending mails destined for your domain to the >wrong server. Yes, this was my mistake. You are correct.
>I'm not sure if Gmail does, but I *seems* that GMX (a German mail service) >does checking of my TLSA records. (I can tell, because once I messed up >these records and messages from @gmx.de to my domains bounced back to >their GMX senders.) > >I'm not sure if GMX can be counted as a major service. This is an interesting anecdote, thanks. >For mail clients this question isn't relevant, if this is meant as >"MUA", since MUAs normally talk to their submission hosts, and often do >certificate checking similar to that what HTTPS clients do: compare the >certificate's CN, and SAN with the hostname they connect to and verify >the certificate against locally stored trusted CAs. Not sure how that makes it irrelevant. Just like in HTTPS clients, DANE provides an additional layer of validation. I.e. with DANE you can check for a specific cert fingerprint vs with normal validation you trust any valid matching cert issued by any trusted CA. In my view, DANE would be useful in mail clients. Just not sure if any actually use it. On Thu, Jul 11, 2019 at 5:46 PM Heiko Schlittermann via mailop < [email protected]> wrote: > Ross Tajvar via mailop <[email protected]> (Do 11 Jul 2019 17:58:36 CEST): > > However, the mail server I'm using (Mailcow) suggests I add TLSA records > > for ports that serve SMTP, POP3, and IMAP (as well as HTTPS). I'm > curious, > > do any major mail services actually validate these records when receiving > > mail? Do any major mail clients? > > As Jeremy already pointed out, DANE is about receiving, giving the the > sender > a chance to check the recipient's server. If Mailcow suggests you to use > TLSA records, your question is probably about services that would use > these records to avoid sending mails destined for your domain to the > wrong server. > > I'm not sure if Gmail does, but I *seems* that GMX (a German mail service) > does checking of my TLSA records. (I can tell, because once I messed up > these records and messages from @gmx.de to my domains bounced back to > their GMX senders.) > > I'm not sure if GMX can be counted as a major service. > > For mail clients this question isn't relevant, if this is meant as > "MUA", since MUAs normally talk to their submission hosts, and often do > certificate checking similar to that what HTTPS clients do: compare the > certificate's CN, and SAN with the hostname they connect to and verify > the certificate against locally stored trusted CAs. > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de ---------------------------- internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --------------- key ID: F69376CE - > ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ - > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
